back to article Microsoft readies Windows Autopatch to free admins from dealing with its fixes

If Windows Autopatch arrives in July as planned, some of you will be able to say goodbye to Patch Tuesday. Windows Autopatch formed part of Microsoft's April announcements on updates to the company's Windows-in-the-cloud product. The tech was in public preview since May. Aimed at enterprise users running Windows 10 and 11, …

  1. wolfetone Silver badge

    "Earlier this month Microsoft confirmed it would not be possible to schedule rollouts only at certain days and times. "

    Then what is the point?

    How many hours of productivity is wasted because of a Windows machine deciding to do an update, for it to then stick at 95% for an hour while it sorts itself out, during a working day?

    How hard can it be to have a mechanism there to say "install these patches at 4:55pm" so it can be done at the end of the work day, or even during a lunch hour.

    Microsoft will be fiddling with their nipples over putting tabs in File Explorer, but will then say something that would be a genuine help isn't possible?

    1. david 12 Silver badge

      This is for enterprise roll-outs. Not only is it for enterprise roll-outs, it's restricted to enterprise versions.

      This is for people who already test patches before applying them, who now want to do a graduated roll-out of the update.

      There already exist methods of doing graduated roll-outs, but this a management-by-exception system. You block updates you don't want, and the rest is automatic.

    2. localzuk

      This would eliminate its usefulness in education settings too. Can't be having teacher laptops deciding to reboot in the middle of a lesson.

      Being able to set a maintenance window at a minimum is a necessity.

      1. david 12 Silver badge

        It's only available for enterprise customers, not for education customers. Also, although the distribution is set by the group the pc is a member of, 'reboot' is still configured by AD. (Or by local policy settings, but home/Small Business users aren't getting autopatch anyway)

    3. NoneSuch Silver badge
      FAIL

      Face It...

      If you have Windows installed, you no longer own the computer you paid for.

      If you cannot determine when patches go off, what patches to install or what feature sets are put onto your PC, it is no longer your computer. It belongs to a nameless set of Microsoft engineers who will tell you what you can and cannot do.

      Now we calmly await the monthly fee paid to Redmond to allow you to log onto that PC you used to own.

  2. Mike 137 Silver badge

    "or just the bits of an update that aren't broken"

    Given this all too common situation, I just don't trust automated patching of mission critical systems. There should always be a test run where it doesn't matter should it break.

  3. steviebuk Silver badge

    No no no no no no no no

    no no no!

    People specifically wait to make sure the new "update" doesn't kill network printing for example (as it did at ours when that was out). Using autopatch means everyone, everywhere that ends up being forced to use it will be borked.

    1. chivo243 Silver badge

      Re: No no no no no no no no

      That's why I used* WSUS**, with a GP to install updates and restart after hours, when there was no user logged in... If somebody was busy late, or forgot to log out, they had to wait a week for the GP to trigger it again.

      *I've moved on, but keep in touch with my ex-colleagues, and remind them to wait, and not approve every update!

      **I then watched El Reg and other reputable tech websites for a week before approving any updates, ANY!

      1. HereIAmJH Silver badge

        Re: No no no no no no no no

        I have lost more work to windows patching than any other threat to PC users in 3 decades. Never walk away from a Windows PC without saving all your documents and memorizing all the documents and web sites you have open. I personally prefer to apply patches on my schedule and do the reboot. Then I know everything has been saved and I can get the system back in the correct state for being productive.

        I set up WSUS on my home network and upgraded all my Win10 machines to Pro/Enterprise so that I could regain control of patching. And I have to say; <sarcasm>WSUS is s dream to configure and manage in your spare time.</sarcasm>

        1. Anonymous Coward
          Anonymous Coward

          <sarcasm>WSUS is s dream to configure and manage

          Right. It looks cobbled together by Dumbai interns and never improved from then. There are utilities to improve it and you wonder why MS never thought to apply the same patches.

          Don't understand the need of this tool if it does support only desktop Windows and is not integrated in WSUS.

          1. chivo243 Silver badge
            Go

            Re: <sarcasm>WSUS is s dream to configure and manage

            Proof somebody worked... that is all. Look what we did for X years... and we know it sucks, but have ideas to fix it in the next X years!

            Profit!

          2. Fred Daggy Silver badge
            Meh

            Re: <sarcasm>WSUS is s dream to configure and manage

            WSUS was great *when it was released*.

            It hasn't had much in the way of love since then. Database doesn't scale well, for example.

            The bigger problem is more the Windows Update client on the various workstations and servers. Falls over at the drop of a hat. The client places a very heavy load on the server. 5 to 50 devices - no problem. 500 or more and the IIS memory usage pool goes through the roof.

            And let us not forger the terminal stupidity of copying from SystemD. The WindowsUpdate.log file moved from a realtime, text log file, fully capabably of showing what was happening and when it was happening to a binary log file that needs several steps of translation. So, one can never quite be sure of what happened when "in real life".

            If WSUS was working, then things like Teams would use it too. So, even MS don't think that WSUS is working well.

        2. Anonymous Coward
          Anonymous Coward

          Re: No no no no no no no no

          Never walk away from a Windows PC without saving all your documents and memorizing all the documents and web sites you have open

          So true. The same advice applies when you have inquisitive children around. Or a flaky machine.

          Microsoft have really sorted out this usability thing, haven't they?

        3. chivo243 Silver badge
          Meh

          Re: No no no no no no no no

          I started using WSUS a loooong time ago,(v3.0? had to be installed, wasn't a role at that time) before I knew shit from shinola in IT. That was one of my first tasks, and we had probably 400 endpoints at that time. I learned it... Then we shifted platforms, and I had 15 endpoints and killed it. It was easier to log in and run updates for that specific system\service. So I killed it. FFW a decade, and my Windows numbers ballooned, and I re-introduced it, and I thought it was pretty MS - AD looking and functioning, and way easier to add the feature\roll to the server and move on to the fun of configuring, pointing all windows boxen there etc... It kept me from doing other work, but work is work right??

      2. Anonymous Coward
        Anonymous Coward

        Re: No no no no no no no no

        Maybe this is a job for AI...? To see which patches would cause a problem...

    2. Dave Null

      Re: No no no no no no no no

      it's a shame you can't read.

  4. druck Silver badge
    Unhappy

    Auto F***up

    A small set of devices will get the patches first before Autopatch moves on to gradually larger sets, gated by checks to ensure that nothing breaks.

    That's never stopped them before.

    1. Steve Davies 3 Silver badge
      Linux

      Borkzilla

      There is a reason for that nickname.

      The prosecution rests. (and types 'dnf -y update' into their Linux box)

      (other Linux software update options are available)

  5. Anonymous Coward
    Anonymous Coward

    auto update

    meh...

  6. Pascal Monett Silver badge

    Autopatch ? Sure. Just shoot me now.

    Borkzilla doesn't have the record required for anyone to trust such a scheme. Rollback, schmollback. Borkzilla is going to fuck up, that's a certainty, and when (not if) that happens, you want your backups to be in order.

  7. FuzzyTheBear
    Pint

    Scared chicken lil i am .

    Somehow automated updates and Microsoft in the same sentence scares the lights out of me.

    Call me chicken. I mean .. what could possibly go wrong eh ? .. Have a great weekend.

  8. Anonymous Coward
    Anonymous Coward

    So clearly the Mk 1 is about to sink into the swamp.

    But all you have to do is suffer your deployment catching fire, falling over and sinking into the swamp several times and they might have built a better system by then.

    1. stiine Silver badge

      Re: So clearly the Mk 1 is about to sink into the swamp.

      No, they won't because the morons who write the new system will have been trained by the senior morons who wrote the previous system.

      1. David 132 Silver badge
        Happy

        Re: So clearly the Mk 1 is about to sink into the swamp.

        And the rest of the system will be completed in an entirely different style at great expense and at the last minute?

  9. yetanotheraoc Silver badge

    They really have no idea

    "A small set of devices will get the patches first before Autopatch moves on to gradually larger sets, gated by checks to ensure that nothing breaks."

    AKA testing in production. "Nothing breaks" is all kinds of wrong -- First of all it's "broke", not "breaks". The breakage already happened, depending on the nature of the breakage it may not matter -- to the business -- that it only happened on a small number of devices. Second it's not "nothing" broke, it's "nothing that we hard-coded a test for" broke. Wait, what? They don't write tests, if they did then they could have run the tests in the testing environment! The whole point of testing in production is that they skipped writing tests in the first place. So which is it? Did they write the tests or not?

  10. wsm

    Hours wasted by Microsoft

    I'm not sure that any of this further automation of Microsoft patching will help anything.

    Having been a sysadmin for too many years and having to run Microsoft domains for most of that time, I have often wondered how much of my life has been wasted waiting for Microsoft to patch their software, reboot my systems and keep me waiting at the spinning balls until the update completes at 5%, 23%, 74% and inevitably hanging at 100% for what seems like hours. Not to mention the unpatched defects, vulnerabilities and other unknowns that make me test every system for some basic functionality after patching.

    I once thought of figuring out how many days, weeks or months it added up to over the years. I'm afraid to know the answer.

    1. David 132 Silver badge
      Thumb Up

      Re: Hours wasted by Microsoft

      There are few things in our industry more soul-crushing than clicking "shut down" before you grab your laptop and run out of the room to lunch/dinner/whatever... only to see those dread words, "Windows is installing updates. Do not turn off your computer. 1%.... 1%.... 1%...."

      1. Giles C Silver badge

        Re: Hours wasted by Microsoft

        Can’t upvote you more than once, but it only ever seems to happen when you are in a hurry. What is really frustrating is the machine option are update and shutdown, update and restart and not defer update for 12 hours which is the one you want in a hurry.

        I had a laptop singe the carrying bag as it hadn’t shut down when I put it away (I hadn’t realised).

        1. Strahd Ivarius Silver badge

          Re: Hours wasted by Microsoft

          Never let an IT system know that you are in a hurry, they sense it and slow down immediately...

          1. Ken Moorhouse Silver badge

            Re: Never let an IT system know that you are in a hurry, they sense it and slow down immediately...

            I think that reply belongs in any dictionary of Famous Quotations.

      2. werdsmith Silver badge

        Re: Hours wasted by Microsoft

        I’ve had this happen before. I just shut the lid and carried on leaving.

  11. Snowy Silver badge
    Flame

    My machine

    I say when to patch but I guess this is part of Windows 11 idea of while you pay for the machine Microsoft owns it.

  12. logicalextreme

    Yet again

    PowerShell fans will be disappointed to learn that "Programmatic access to Windows Autopatch is not currently available."

    Much as I loathe PowersHell when misused as anything approximating a programming language, it's sometimes quite good for sysadmin tasks (as long as you don't expect anything like robust error handling).

    MICROS~1 have heavily implied on a number of occasions that all new sysadmin functionality will be, if not "Powershell-first", then at least available to PS via cmdlets or modules at the point of release.

    It's simply not true. Windows config remains the same tangled mess of registry keys, config files, MMC modules of varying antiquity, crappy new Settings screens and various other gubbins, and the likelihood of you being able to administer everything via any CLI is basically zero. No wonder they had to ditch the idea of truly headless Windows shortly after the first releases of Server Core.

    I know there can be a fair bit of inconsistency in administering the various parts of your average *nix instance via CLI too, but at least it's possible, not to mention expected.

    1. David 132 Silver badge
      Thumb Up

      Re: Yet again

      >MICROS~1 have heavily implied on a number of occasions that all new sysadmin functionality will be, if not "Powershell-first", then at least available to PS via cmdlets or modules at the point of release.

      Well yes, but that was more than a couple of months ago, and like so many companies in this industry, they have the attention span of a squirrel.

      Plus, now we're in SatNad world, there's the bigger issue - that they haven't figured out how Powershell can be monetized on an ongoing basis. "Pay-per-use cmdlets? Hmm... not subtle enough..."

      1. Ken Moorhouse Silver badge

        Re: they have the attention span of a squirrel.

        IIRC it's goldfish you're referring to.

        A squirrel has got to remember where he has buried his nuts.

        1. TimMaher Silver badge
          Flame

          Re: buried his nuts.

          And, if it’s in my garden, remember where he left his flak jacket or I shall bury his nuts for him.

  13. Gnisho

    Since this article doesn't clarify, clicking through to other linked articles ... this is addon to endpoint management tools for admins renting cloud desktops from Microsoft. Most have no need to panic just yet.

    1. stiine Silver badge

      That's what you think.

      All I could think when I read the headline was 'Oh Fuck No You Aren't!' I already have to prevent my home machines from being able to access any microsoft.com networks to prevent projects, recipes and more important files from being destroyed by microsoft's idea of 'active hours'. When Its time to update, I change my firewall policy to allow and commit the changes to auto-rollback in 60 minutes.

  14. Anonymous Coward
    Anonymous Coward

    Once upon a time......

    .......reasonable people did lots of testing BEFORE they moved an upgrade to production.

    So....my questions are about another old fashioned concept....called trust:

    - Have M$ done any testing?

    - Was that testing comprehensive?

    ......or am I the one ACTUALLY DOING THE TESTING FOR M$?

    1. TimMaher Silver badge
      Coat

      Re: Once upon a time......

      ... there was SMS.

      Mine’s the one with an NT disk in the pocket.

  15. Boris the Cockroach Silver badge
    Facepalm

    Guess we're going

    back from "update this pc at 4pm friday afternoon" to "update whenever"

    And of course thats exactly when your most vital task needs to be achieved and you end up staring at the f'ing spinning circle for 3 hrs before throwing the pc out of the window.....

  16. ITS Retired

    It is time to start checking other operating systems.

    Before Microsoft claims complete ownership of your computer.

  17. original_rwg

    And now look what they're doing....

    https://www.marshall.edu/it/departments/information-security/10-immutable-laws-of-security/

  18. Doctor Syntax Silver badge

    I wonder if, in the future, there'll be an annual commemoration of "The Day The Desktops Died" when a rolled out auto-update bricked every Windows machine on the planet, other those kept resolutely off-net.

    1. TheWeetabix Bronze badge

      The day all the Windows broke.

      The news will be reported via linux powered internets.

    2. Anonymous Coward
      Anonymous Coward

      MS has already implemented elements of autobork to a fashion, with staged rollouts of patches clearly serving as a way to beta-test without exposing the entire population at once.

      From a policy perspective; enterprise W10 in our case a has countdown timer on when one must reboot to apply an update. This gives 24 to 48 hrs notice, which seems a reasonable compromise for rolling out patches the enterprise has decided it wants to apply. (With the odd exception where I need to run a really long numerical analysis job).

      It is less reasonable for "Personal" devices that you do not have the choice over what is being applied or not.

      Both the terms "personal" and "reasonable" have been forgotten in the Windows consumer space. I'm sure I'm not the only one to express concerns of "where are the next programmers coming from" on our highly locked-down autoconfiguring boxen?

      For personal machines, Linux obviously has the advantage of freedom of choice - the likes of Manjaro and it's package managers can recommend updates; or you can choose to blacklist. But that level of functionality isn't particularly great in an enterprise where you want to get multiple machines patched to same standard on a schedule.

      Somewhere between the two paradigms is a reasonable and effective approach to be had. I know of no solution, commercial or otherwise that manages to deliver well on both fronts.

  19. TheWeetabix Bronze badge

    Autopatch?

    HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAAAAAA

    AHHHahahahahahahahahahahahahahahahahahahahaha.

    So what? I can spend my time double-checking all its work instead?

    AutoJFC more like.

  20. ecofeco Silver badge

    LOL wut?!

    And we should trust this, why?

  21. Anonymous South African Coward Silver badge
    Thumb Up

    AutoPatch should be called AutoBork

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like