A look at Windows Autopatch to solve all your Windows patching!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone in this video I wanted to explore the windows Auto patch service something really designed to take away a lot of the stress and the overhead of patching our Windows environment as always this is useful a like And subscribe is appreciated now if we think about our environments we patch for many different reasons there are the obvious reasons where we just think about hey Health there are overall bugs found in software there are challenges there are performance optimizations so for the overall health of our device we patch to make things better we also patch for security reasons hey there is some vulnerability there's some new cve so we patch to resolve that to remove that possible exposure when we think about security patching is a huge part of that many times companies are attacked and vulnerabilities are exposed and utilized that have already been patched it's simply that organization has not rolled out that patch to their environment yet so hey the fix is there but maybe because of a process because of time they've not rolled it out in a timely manner so people exploit it so it's really important as part of our security posture to get patches rolled out in a very timely manner but they can also be related to functionality if we think for example about Windows client yes we have the idea of quality updates Patch Tuesday Etc then you get the feature updates which deliver ongoing new units of functionality so if I think about hey that idea of patching absolutely we have the operating system and as I've really just kind of mentioned there's that idea of quality updates that patched Tuesday and maybe in between if there is some zero day and that's something to consider as well hey that's going to get released kind of out of the regular band we want to get that deployed as quickly as possible then obviously there are those feature updates so I can think about different things associated with the operating system but then there are key applications on top of that I might think for example about h Edge has its own update mechanisms we might be using office so we have the Microsoft 365 applications and then as part of that we have teams and this is the focus today when we think about Windows Auto patch now you may say hey look Windows has the button I can click and auto update I'm good there's generally not an acceptable answer for organizations if I think about an organization I think about hey these patches and actually deploying them out to my organization well there is a chance a patch could actually introduce a problem sometimes we have a driver you have an application that's using maybe some undocumented API well that undocumented API maybe gets closed or modified as part of some update so we don't really like to just hate every machine in our 10 000 machine company or a hundred thousand or ten it's really all levels I don't want to just roll that out to everyone all in one go what I really want is to get some confidence starting off small and get gradually bigger sets of the population to increase my confidence as I roll it out to more and more of the organization and the way we do that is for our deployments we like to use the idea of rings and what's very very typical is I'll have a very very small part of the population for testing then maybe a larger part of the population where I have some hero users where I have people from each line a business group to test each kind of business application then a bigger group so I can get even more confidence across a wider range of devices and applications and then we think about the broader rollout to everything and as all of this is happening I can think that my confidence is growing I'm getting more confidence that I've rolled it out to incrementally larger populations hey I'm not seeing a problem things are looking good I feel comfortable with going to that next ring for more and more machines but to facilitate this type of thing well I need Solutions I need Solutions around tooling how I'm managing those Rings how am I putting machines into those rings as new machines are on boarded or which ring do they go in how do I take them out how do I monitor what's happening if I see a problem how do I know there's a problem how do I react quick enough and so that really then bleeds into the idea of there's a whole bunch of it admin work headache and stress related to patching and I do have to think about hey how do I handle a zero day what do I do if there is some hideous new vulnerability found hey the patch is released how do I get it out as quickly as possible and as you would expect this would be a pretty depressing talk the answer here is Windows Auto patch and the key thing I feel about Windows Auto patch is right now I think times are challenging financially companies are struggling there's a huge focus on doing more with less and I think Windows Auto patch has really been introduced as a key part of that it's not something new I have to buy it's simply new functionality that is lit up based on my existing licenses now there are functionalities this leverages so I have to own those this isn't saying no I have to buy if I own the prerequisites I can now just start taking advantages of this so the whole point is take the stress away from patching from the it administrators let them go and focus on other things that may be more useful that are going to light up more business productivity for the organization so how does this work so the whole point around this is I think about I as an organization I have my Azure ad tenant and it's already based around starting at the Azure ad tenant so I have my Azure ID instance for my company now the key Point here is the users have to populate in here my device is are registered joined one of those two things to my Azure ad so I have them in there now in terms of what are the requirements to use this today what I've acquired is Windows E3 or about physical E5 there are many different skus that include those but I have to have Windows E3 or above the devices have to be managed by InTune so I need InTune because it's really that that's going to drive a lot of the functionality that Windows Auto patch requires and it also talks about Azure ad premium so P1 or above I think that's a lot around the code management scenarios but it does still list that as Azure 80 premium needs to be lit up on the tenant so I have to have Azure ID premium on the tenant so if I have Windows E3 if I have InTune and Azure 80 premium on my tenant well now I have to be a global admin I can enroll so my first step is to actually go through and say I want to enroll in Windows Auto patch and it's a very very simple process I'm actually going to go over to here and I'm borrowing someone else's tenant because they have some nice devices they were kind enough to lend this to me so what I would actually be able to do is in the Microsoft endpoint manager admin Center so endpoint.microsoft.com I would go to tenant Administration so you can see we have this tenant Administration option down here that is already on boarded but what I'd see providing I'm meeting the requirements for this I'll see Windows Auto patch and I'd go and select the windows Auto patch and it will give me the enroll option now as part of that is going to go and check a number of things so it's going to go and check hey I I meet those requirements it's going to ask me for a few pieces of information it's going to ask me for some contact details and then once it's gone through that it will then go and complete the enrollment of my tenant into Windows Auto patch and it's going to do a number of things as part of that enrollment the first thing it's going to do is it's going to create some groups now I'm enrolling my tenant so you might think well does that mean it has to manage every single device no I have control over which devices I want to enroll in the Auto patch and the way it's going to do that is it creates a group it creates a group called windows Auto patch device registration so until a machine is placed into that group it's not going to be managed by the windows Auto patch service now I can add devices into this group a number of ways I can obviously just manually I could manually add devices into it if I'm using Windows 365 so the cloud PC as part of the provisioning process that I can actually create with Windows 360 by the create provisioning policies you'll actually see there's now an option for extra services and one of those is Auto patch so if I check that as part of the provisioning policy as it creates my cloud PC it can then go and enroll it in Auto patch to to keep it current I also can Nest groups inside here so I could add groups now it might be I have an existing group I've maybe manually added machine or I have Dynamic rules that are the PCS that I happen to want I might add multiple groups it might be I create a new Dynamic group and Nest it in here that maybe just all devices get added to so the key part is I can add groups so I can nest and I can absolutely take advantage of things like Dynamic groups so that as new devices get onboarded into my Azure ad well they then automatically get added to the dynamic Group which I've nested inside the windows Auto patch device registration so I don't have to do anything hey devices get known to my Azure ID they get added to the group they get added into this device registration so at this point they now become known and managed by the Auto patch now there is another step that has to happen it will actually go and check them if we were to go and look over here for a second well firstly we can see the group so if I just go and look at groups for a second and I scroll down to the bottom absolutely you'll see that Windows Auto patch device registration group so the machines in there will then get managed as part of the windows Auto patch but there is another step if I go and look at devices and then we'll see there's a Windows Auto patch section where I can select my devices again it does then go and do a check so it's going to go and pause that group periodically every I think every few hours all you notice I can go and hit a discover devices to accelerate that along but it will then go and check the PCS in that group and it's going to go and check if they meet the prerequisites so when I think about prerequisites is it managed by InTune has to be managed by InTune is it not already managed by Auto patch is it Windows 10 or Windows 11 is it pro or Enterprise so it has to be one of those skus if I am using co-management so I have configuration manager as well well I have to have some of the key workloads managed by InTune if I think about Windows update policy is device configuration office click to run those have to be the responsibility of InTune so it's going to go and check all of those things assuming that is a parcel the prereqs then we can see they're sitting nicely in here and they're sitting in the ready tab it also has a not ready tab so if for some reason there was a problem it will go and sit in that not ready I'll get some ideas of why and I can maybe go and take some actions around that but for right now we're focus on the ready notice it shows us the model so I can see hey these are VMS but I could also see for example information from the OEM I would see if it's a cloud PC from Windows 365 so I get some great information okay but now what let's think back to the workloads this supports and we'll start off with the idea of the operating system so I can think that okay we'll go orange so we have the OS so we have our operating system and once again if I think about the operating system it is Windows 10 or 11. Pro or Enterprise and if we think back to what we saw remember there are different types of updates we want handled very very differently obviously we have the whole Patch Tuesday so I have quality these we want rolled out using Rings ideally so we get confidence but I want to be pretty quick I want to get these available and rolled out to my organization maybe within a couple of weeks we also have the idea of feature now remember for feature they're a lot less frequent but they add functionality they may change the user experience so I probably want an even bigger gap between the different stages between my rings so that I get more time to see the user Behavior if it's any kind of change maybe there's calls to my help desk not because there's a problem just because something's moved so I'm getting calls to my help desk so I might want to stagger these out even more to get more confidence to give users more time so they can make those calls that are help desk so we don't overload them and then they go and help other people sort of thing about hey then there's the feature and then obviously we do have those zero day and just to really emphasize this we'll do that in a different color zero day some critical exposure that hey has been shown out in the wild or it's been discovered and not really used yet but we want to get this out as quickly as possible so for all of these things when I think about this quality and feature I want to use rings I want to have this idea of getting that confidence ever increasing percentages of my device population and when I was Auto patch uses four rings so it has a ring called test it has a ring called first it has a ring called fast and then it has a ring Broad and if we think about the idea of ever increasing the sense of our population there is no one added by default to test we're going to come back to that but the target percentage for first is one percent the target population for fast is nine percent the target population for broad well we can do math is ninety percent and these are actually groups created in your Azure ad so if we go and look at our groups for a second back over here now I don't have to mess with these at all but we will see these modern workspace devices Windows Auto patch we can see there's the the there's three and there's the other one and those have those names so it's that whole let's make that a little bit bigger we can see hey yeah okay test first fast and Broad so it's creating groups to represent each of those but we're also going to see them when I go to that Auto patch devices and we just see the group now what's happened here is they're all tests fast or first because obviously they're they're testing they're playing around they've moved the devices around they've moved them all out of broad and that is actually part of the point of this so what's happening is they are automatically balanced when they are brought in and what I mean by that is as the devices are brought in and as they're added to the windows Auto patch device registration when they pass the prereqs at that point that balancing is applied so it will automatically take them and from this group also add them to First fast and Broad and the way it's going to add them is it's going to try and keep these ratios one percent nine percent ninety percent so it's gonna spread them out over those but I can also manually move machines it is not really using any advanced machine learning at this point it's not looking at which line of business apps are installed on different machines what vendor or OEM is for this type of Hardware to try and get those distributions it really is just trying to hey one percent nine percent ninety percent so I as the administrator initially I am absolutely gonna want to go and move some machines for example if I have some iot Administration test machines well I'm going to go and move some machines for example into test so that I really monitor those machines closely from whatever ring it happened to be in I'm also likely to go and put some machines into first remember I want a sampling maybe from all the key line of business applications those hero users so they're going to go in and see those likewise there because I'm going to move out I want to put it into broad my CEO my CFO I don't want them in first so there's going to be some massaging initially when I move them manually it does not do a rebalancing so the way it will then get back to these percentages is as new device ads it will try and it will add them to whichever group is furthest away from its Target percentage since this only had seven percent but these were kind of close to 90 and one it's going to put something fast so I can absolutely manually move machines around and we can see that right here and this is what obviously has been happened in this environment which is why there's no broad but I can go and select machines and I can say device actions assigned device group so if I had my CFO my CEO machine for example I could assign device group and I say I want to put them in Broad and then I would hit save so I can absolutely move them and likewise if it was some it test machines hey I want to put them in test so I can go and move things around as I need to also notice you do have the register so if there were some machines I actually want to take out of the control of Auto patch it's super easy select them and select the register it's not destructive it's not removing it from Azure ID or intunes management or anything like that it's just going to remove it from the Auto patch sphere of control so definitely I think initially you're going to go and do a little bit of movement around those if I also went and looked at policies for example you'll see the four rings here as well you'll see if I could actually get this I can't do it but you can see those four rings are here and you'll also notice this quality deferral so this is test zero this would be first one fast six and Broad nine so what is what is this all about what is this deferral thing well it comes back to those idea of what's the whole point of rings the whole point of rings is as there are updates let's say quality initially I don't want them to hit all the machines at once I want them to hear certain population then after period of time the next period of time the next Etc and so you have this idea so we start with quality of how is it making those available and so what it's going to do for the test ring they're available straight away there's zero deferral and for those for first there is a one day deferral and also I have a two-day deadline so what happens is the user experience they'll start getting those notifications nag messages but they can push it off for up to two days so it's going to wait a day then make it available to the users and they'll have two days to defer now after that two days it's then going to go into enforcement mode it will force them to install it will start ignoring those active hours and just make them do the reboot for fast it's six plus two and for broad it's nine plus five and these are all documented so if we go and look at the documentation for a second over here we can see exactly this so it's showing me here standard release test group there's no deferral first group is one day deferral and then two days deadline fast is six and two broad is nine and five and notice you have this idea of a grace period the grace period is focused around the idea that imagine I'm on vacation and my machine was just turned off and both the deferral and deadline have passed I turn my machine on it's going to give me a grace period so it doesn't make me reboot instantly it's going to add that grace period so in this case for example two days I would have if my machine hasn't been running but hey I can now go back and go and use that so we have those options available to us but do notice expedited is zero it is not using the Rings at all so when we think about this idea of a zero day the whole point of this is now and it's basically plus one but it's now it's not using the Rings it's expedited and this is Microsoft make this decision they push this down it's not using the Rings it's just going to get that out as quickly as possible which is what you want this is a zero day this is an important thing I want this pushed out to my environment as quickly as possible again normally it's going to restart outside of active hours but if they go past these times it's been given they just keep ignoring it then it is going to enforce it it's going to just make them do it and so then likewise on the feature side remember we want that over a much longer period of time so what the feature is going to do is test it zero and then you have five days for first it's 30 plus five it's 60 plus five and then 90. so these are the times it's going to wait before it's even made available to the ring then they have five days to click it and the reason for this is what you want them to get it installed you don't want to give them a 30 days to delay it because I want to see them actually using it and see it get tested and see the user impacts and all of those things so yes they have basically a week after it's made available to them then you get a probably 25 days to sit and watch each of these groups and the behavior of it so once again this is why it's so important so especially intestine first make sure I'm getting the right populations that definitely in first I want some line of business hero users from all the groups so I make sure those line of business apps really are getting tested in hey quality updates hey the feature updates I want that to be very very visible to me now one of the huge things that is happening here and one of the other benefits of Auto patch is yes Auto patches are orchestrating this for me But realize when you patch there are sometimes problems there are problems that with certain drivers there are problems with certain applications and what's going to happen here data signals from all tenants I wouldn't say it's Telemetry as such because it's not client they can't tell which customer but there are signals sent backs they can see oh look this is causing a problem we're seeing a problem with this update with this patch and so they can then actually make the decision to pause future deployments they can even do things like roll back and again it's not just in your tenant they can see it across all of the tenants so a huge benefit I'm getting here is yes the orchestration of this but also the ability of hey this service is seeing the progress across every customer and if it starts to detect there's a problem it can halt it maybe even roll it back they can then they will go and work with the windows team to see that what needs to get done maybe it's even a reissue whatever that might be but that's part of this service that intelligence they're getting you get the benefit of so don't think of it as oh it's just pushing them out it's monitoring them across all the tenants and reacting for you if there is some hint of problem they are pulled from the internet so it's not using its own distribution system so it's pulling them from the internet that does mean if you're using things like Windows delivery optimization it will still take advantage of that so if I'm thinking about Network optimization definitely still look at things like hey do I want to be able to share between peers um features such as that and then the obvious question comes so okay so what's difference between this and Windows update for business once again I think here you have a much better handling of that Dynamic nature of devices being added and removed it's got much better incident response if there is some problem with a certain drive with a certain application it helps remove your brain Cycles I have to do related to patching there's a lot less Administration is handling the Rings for you so I think it it takes what Windows update for business does and just adds a whole bunch more to it foreign and then obviously we go beyond that operating system then you really can think about things such as Edge so if I think about Edge for example now obviously Edge does its own thing they have their own cycle I think Edge checks every 10 hours for updates I think it has quality updates weekly um feature updates whatever that is some other time period and it automatically does its own Progressive foreign so Edge just on its own does its own thing so Auto patch is not adding something of its own here it's just letting it do its thing the only thing that is done here is the test ring so if I think about the sort of Dash dotted line going on here the test ring will actually use the beta Channel whereas the rest of the Rings first fast and Broad although we use the stable so there is one change there but apart from that it is not using the Rings it is using Edge's own set of mechanisms to do Progressive rollouts edges you know downloads the bits in the background then you'll see their little upgrade Arrow it goes green then yellow then red hey please please restart Edge so you just restart Edge it keeps where you were and all the tabs and then hey you've got that update we obviously have the Microsoft 365 apps and once again Microsoft 365 apps now what you're going to get here is the monthly Enterprise Channel but once again it has its own CDN it has an office content delivery Network and it uses that to do a progressive download and release so it doesn't just make office updates available to everyone at the same time it also will make different portions of the population aware that hey there's a new update to office so Auto patch is not using its rings here office has its own CDN based Progressive release so that will just still be used so again you're going to use that monthly Enterprise Channel and then finally teams and as you're going to guess it also has its own so this also doesn't use Rings it just has its own mechanism I think it's once a month for all of the users there can be the technology adopter program that gets twice a month but basically I think it's typically a Monday they might do critical updates in between but they again have their own update mechanisms to actually go and roll this out and that's it so there's not like a huge demo because the whole point of this is it just works I enroll my tenant I pick the devices I want to be part of this and once you're confident with this you probably will have some kind of nested group that is a dynamic group so just automatically adds machines in you are going to do that initial management of getting some machines in test getting some good sampling in first and obviously fast as well making sure you don't have your CEO and the CFO in any of those and put them in Broad so this could be some manual manipulation at first just to get some key machines but then it's going to take care of putting the machines to keep to this one percent nine percent ninety percent as best it can and control those really roll outs for you I can monitor today I can see the status of the quality updates so if I was to go and that was the wrong tab I'm going to look at the other tab there we go if I was to go and look at reports what we have today is Windows Auto patch Windows quality updates so if we go over here I can see these quality updates I think more will come over time but then we can go and get some really nice detail over exactly where we are I can go and get detailed reports but I can see exactly where we are within the various rings and what we're doing uh with regard to that patching so that's that's a key thing we have and I think another key thing to emphasize today is this is really about helping the it teams it really is that whole message of hey do more with less given the it teams a bit of a step back from the stress and the burden of the patching saying a focus on other things this is a starting point as you probably see with many Microsoft Services you have this V1 that focuses very much on the absolute core functionality that it must have I wouldn't even say minimal viable product because this this has some fantastic functionality but this is a starting point I think we're going to see a lot of enhancements coming to this and the PG have been very vocal about hey we're just going to keep building and building on this it is a great fit for customers today I think there's a huge range of large and small that this is just going to be a great fit for right now if I'm a more complex customer maybe some of the Frontline worker scenarios or the GCC scenarios if I'm a more complex this may not be right today but I think they're going to build and keep adding to this but definitely I think it's worth looking at it's worth evaluating for most customers this could just hey take a whole set of stress and burden off me right now so I hope that was useful I hope it kind of gave us some idea of what this is all about and that the benefits this brings and as always till next video take care thank you
Info
Channel: John Savill's Technical Training
Views: 28,629
Rating: undefined out of 5
Keywords: microsoft, cloud, windows, windows 11, windows 365, patching, intune
Id: 5uJB1q_iSsI
Channel Id: undefined
Length: 35min 47sec (2147 seconds)
Published: Thu Aug 04 2022
Related Videos
Understanding and Getting Started with ZERO TRUST
John Savill's Technical Training
130K
S04E07 - Windows Autopatch w/ Adam Nichols
Intune Training
10K
Looking at Entra Permissions Management to Manage Permissions Across AWS, GCP and Azure
John Savill's Technical Training
20K
The Sad Reality of Microsoft Edge
Surfshark Academy
50K
Whiteboard Wednesday: What is Patching?
Rapid7
96K
How to Update Your Devices in Microsoft 365 Using Intune
Jonathan Edwards
11K
Azure Virtual Network Manager Deep Dive
John Savill's Technical Training
24K
Microsoft Azure Private Link Deep Dive
John Savill's Technical Training
90K
Anatomy of Azure Policy
John Savill's Technical Training
36K
Azure DNS Private Resolver Deep Dive
John Savill's Technical Training
47K
Elon Musk JUST Revealed The Last And Most TERRIFYING Secret We Are NOT Supposed To Know
Star Investing
9.7K
Azure Update Manager 2023 Edition
John Savill's Technical Training
28K
Reports on Windows Updates in Intune
Intune & Vita Doctrina
2.4K
Windows Autopilot V2? Or just a new profile type? Who cares! It's here!
Dean Ellerby MVP
4K
Automate Windows 365 Enterprise patch management with Windows Autopatch - Windows in the Cloud
Windows IT Pro
2.7K
Azure Monitor Logs Log Types
John Savill's Technical Training
38K
The Line Between AD and Azure AD!
John Savill's Technical Training
78K
Every Admin 'loves' Patching😡
Azure Academy
5.6K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.