Security Experts:

Connect with us

Hi, what are you looking for?



Windows Autopatch Aims to Make Patch Tuesday ‘Just Another Tuesday’ for Enterprises

Microsoft this week announced Windows Autopatch, a new automatic updates service for Windows 10 and 11 Enterprise E3 customers that will manage all software, firmware, driver, and enterprise app updates.

Microsoft this week announced Windows Autopatch, a new automatic updates service for Windows 10 and 11 Enterprise E3 customers that will manage all software, firmware, driver, and enterprise app updates.

The new feature ensures that Windows and Office products on enrolled endpoints are automatically updated, at no additional cost, helping admins more easily manage the security updates rolled out on the second Tuesday of every month.

“The second Tuesday of every month will be ‘just another Tuesday’,” said Microsoft’s Lior Bela.

Windows Autopatch rolls out updates gradually, to evaluate the deployment and ensure that no issues arise. Thus, all registered devices should be kept updated without disrupting business operations.

“The development of Autopatch is a response to the evolving nature of technology. Changes like the pandemic-driven demand for increased remote or hybrid work represent particularly noteworthy moments but are nonetheless part of a cycle without a beginning or end,” Microsoft notes.

Autopatch, Microsoft says, will eliminate security gaps by delivering important updates in a timely manner, providing enterprises with timely response to changes.

According to Microsoft, Windows Autopatch can detect variations among endpoints to dynamically create 4 testing “rings,” which are groups of devices representative of the diversity within the enterprise environment.

[ READ: Microsoft Introduces New Security Update Notifications ]

These rings include the ‘test’ ring, containing a minimum number of representative devices, the ‘first’ ring, which contains roughly 1% of the managed devices, the ‘fast’ ring, containing roughly 9% of devices, and the ‘broad’ ring, which contains the remaining 90% of endpoints.

“The population of these rings is managed automatically, so as devices come and go, the rings maintain their representative samples. Since every organization is unique, though, the ability to move specific devices from one ring to another is retained by enterprise IT admins,” Microsoft notes.

With these curated ring populations in place, Autopatch deploys updates progressively, moving from ‘test’ to ‘broad’ after specific validation periods. The service also monitors device performance with pre-update metrics, to balance speed and efficiency and optimize productivity.

With Autopatch in place, all quality updates – those dealing with security, firmware and other essential functionality – are deployed swiftly, Microsoft claims.

Feature updates – which mainly include user interface or experience changes – will be rolled out slower, with 30 days provided for each ring so that users can interact with the software and report issues.

[ READ: CISA Urges Organizations to Patch Exploited Windows Vulnerability ]

“Whenever issues arise with any Autopatch update, the remediation gets incorporated and applied to future deployments, affording a level of proactive service that no IT admin team could easily replicate. As Autopatch serves more updates, it only gets better,” Microsoft says.

Autopatch comes with a “Halt” feature, where updates will not move from ring to ring unless specific stability targets are met (customers too can halt updates); a “Rollback” feature, where updates can be undone if performance targets are not met; and a “Selectivity” feature, which allows customers to select only portions of the update package to be deployed.

The new service also comes with reporting and messaging capabilities, and with an Autopatch message center, where admins can view details about schedules and update status, as well as details from the Autopatch team.

All Microsoft customers with a license for Windows Enterprise E3 can enroll into Autopatch when it becomes generally available in July 2022, the company says.

The service comes with a built-in readiness assessment tool to check settings in Intune, Azure AD, and Microsoft 365 Apps for Enterprise and help enterprises address identified issues, to make sure all solutions are configured to work with Autopatch.

Related: Patch Tuesday: Microsoft Calls Attention to ‘Wormable’ Windows Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.