Friday 21 October 2022

Intune Autopatch - Overview and Deployment Rings

Introduction

Patching machines, and user devices in particular, has traditionally been a labour intensive endeavour.  New quality and feature updates, along with updates to Microsoft 365 apps, Edge and Teams do need to be tested and authorized before going out to your entire estate.  And even if the testing phase of an update cycle is successful, there may still be issues that were undetected - and then we enter into an emergency mode.  The IT team will have to frantically find the cause of the issue, and either present a fix or a workaround as quickly as possible.  During such an emergency phase, the culprit update will need to be paused, or even uninstalled.

And if we might put together a wish list for the updating of devices we would surely desire the following:

1) A testing group of devices for initial installation of updates.

2) A phased roll out of updates so that detected issues cripple as few devices as possible.

3) The ability to exclude or include devices in a roll out approach.

4) An agreed level of patching success, with support from Microsoft.

5) A cloud approach whose implementation is relatively straight forward with all requirements clearly defined.

6) A logical grouping of target devices into rings and the automatic placement of devices in these rings.  These rings would receive updates in a phased approach.  A small percentage in the first ring, a bigger percentage in the second ring, etc.

7) Messaging so that the updates administrator is confidently supported by Microsoft and kept up to date with new features and issues.

8) A group of useful reports so that an IT administrator or manager can monitor the installation of updates.

Windows Autopatch does address most of these requirements and more.  In this article I will cover the Deployment Rings Autopatch feature.

For details on how to install Windows Autopatch I recommend the following article by Prajwal Desai.

https://www.prajwaldesai.com/windows-autopatch-setup-implementation-guide/

Note:  At the time of writing the Autopatch rollout of updates for Teams, Edge and Microsoft 365 apps offers few configuration options to the administrator, nor does it give the administrator the option of pausing or uninstalling such updates.  The ability to Resume or Pause updates is mostly confined to Windows Quality and Feature Updates.

The Autopatch Deployment Rings

When Intune Autopatch is enabled, four rings or bands (Deployment groups) of devices are created - Intune itself will put your devices into three of these groups after they register with Autopatch.  The groups are as follows:

1) Test - Microsoft will not place devices into this group.  The administrator is responsible for placing machines into this group.  Machines in this group will receive updates the very day Microsoft release them.  

2) First - If there are 200 or less registered Autopatch devices, 5% of all devices will be automatically placed in this ring.  They will receive updates one day after the release date.  If there are more than 200 Autopatch devices only 1% of devices will be placed in this ring.

3) Fast - If there are 200 or less registered Autopatch devices, 15% of all devices will be automatically placed in this ring.  They will receive updates 6 days after the release date.  If there are more than 200 Autopatch devices 9% of devices are placed in this ring.

4) Broad - If there are 200 or less registered Autopatch devices the remaining 80% of devices go into this group.  They will receive updates 9 days after the release date. If there are more than 200 Autopatch devices 90% are placed into this ring.

So how do these rings present themselves in Intune?  Firstly you will notice Intune groups are created for each ring.  The following capture shows these groups.



Secondly you will notice that the Update rings themselves are created under Devices\Windows\Update rings for Windows 10 and later.  In this capture we see the four rings along with the Quality Deferral setting.


Although the Feature Deferral is set to 0 for each ring - Autopatch does still stagger the feature update implementation.  The feature release date is communicated via Autopatch messaging, along with the deferral periods for each of the rings.  The autopatch documentation predicts the likely deferral date for each of the rings as follows:

Test:  Release date itself.

First: Release date plus 30 days.

Fast: Release date plus 60 days.

Broad: Release date plus 90 days.

In the following capture we see the Feature updates profiles configured for each of the rings, in addition to a Windows 11 Feature update profile..  Each Feature update is assigned to their respective group.  




If we click on the Modern Workplace DSS Policy [Broad] profile and then on Properties, for instance, we can see that it is assigned to the Autopatch-Broad group.


And where would we find the Autopatch messages informing us about Feature update release dates and schedules?  This is found at Home\Tenant admin\Windows Autopatch\Messages.  Currently there are no messages for my test tenant.


Further, if there has been a change to the tenant configuration requiring administrator led activities - information about such demands will be placed in Home\Tenant admin\Windows Autopatch\Tenant management.  In this capture Microsoft has kindly informed me that my tenant is looking good.


Manually populating the Rings/Groups.

As stated, Microsoft will populate the First, Fast and Broad rings for us - which in itself is a great feature of this technology,  It will not populate the Test ring however, and so we need to do this ourselves.  The following procedure also applies if we would like to move devices around the rings according to our own preferences, rather than Microsoft's automated assignment algorithm. 

Firstly we have to navigate to Home\Devices\Windows Autopatch\Devices.  We then select the devices we would like to move to the Test ring or to one of the other rings.  In this capture I have selected device VM1234 to be moved.


I then click on Device actions and then select Assign device group.


The Assign group blade will appear.  You are then required to select the ring you would like to place the device, from the Select group pull down list.




Click on Save then moves the device into the selected group.


Pausing a Quality or Feature Release

Our testing may have flagged an issue and we might have to pause a Windows Feature Update or a Windows Quality update.  Or perhaps our testing did not flag an issue, however some users, whose devices are in the First or Fast deployment rings may have reported an issue that we suspect is related to a Quality update or a Feature update.  In these scenarios we can easily pause the deployment.  We will navigate to Home\Devices\Windows Autopatch\Release management.  We then click on Pause.



The Pausing a release blade appears.  We need to define if it is a Feature update or a Quality update that we are pausing and then we need to select a Reason.  After clicking Okay the Pause order is then in place for all deployment rings




Resuming a Quality or Feature Update

After we have resolved the issue or issues that prompted us to pause an update, resuming a paused update is a very similar process.  The main difference however is that we are given the option of resuming a particular update ring.

We will navigate to Home\Devices\Windows Autopatch\Release management.  We then click on Resume.


The Resuming a release blade appears.  We must select either a Feature or Quality update to Resume, along with a Reason for the resumption of the update.  We then select the Update Groups or Rings that are to be Resumed.  In this capture I have chosen to resume the Feature update for the Test, First and Fast update groups.


Clicking on Okay then resumes those deployments.

Conclusion

In this article I have illustrated how updates deployment rings can be managed.  We have covered how they are populated and how they can be paused or resumed.  This admin initiated ability to pause updates and then to resume updates for all, or some deployment groups, is a great option.  Hopefully Microsoft will extend this feature to cover Teams and Edge deployment updates as well, sometime soon.


No comments:

Post a Comment