Smart Patching and Auto Smart Patching

Smart Patching

Smart Patching can be enabled for a deployment schedule and automatically creates and maintains Microsoft Entra ID groups, (Smart Patch groups), to be used in Patch Application assignments that only target devices that already have the software installed. This is done by leveraging the “Discovered Apps report” as known in the Intune Portal, in code and Microsoft documentation known as the App Inventory Raw Data Report (AppInvRawData), to detect which devices have an application installed. 

Smart Patching is only compatible with Windows applications in the public repository, who appear in the AppInvRawData, this accounts for most Windows applications. If the application cannot be found using “appwiz.cpl” in Windows, then Smart Patching will not be available. Support for macOS applications is planned and coming soon. 

Smart Patch group creation and maintenance 

Applications in the public repository that are in use in your subscription and have a deployment schedule assigned on them with Smart Patching enabled on the deployment schedule, will automatically get a Smart Patch Entra ID group created. The memberships of each Smart Patch group will be reevaluated several times every day, currently between every 4^th and every 8^th hour. 

Endpoint Admin maintains a detection name for each application in our public repository; this name is compared to the name of the applications found for each device in the AppInvRawData report. Based on this a set of AAD Device IDs is created, these AAD Device IDs then must be converted into a new set of IDs that represent the corresponding Directory IDs for the devices, as device objects cannot be added directly to Entra ID groups using their AAD Device ID.  

The IDs of the member objects in the Smart Patch group are then compared to the set of IDs that were constructed from converting the AAD Device IDs in the AppinvRawData report to their corresponding Directory ID. All the current member IDs that are not in the set of IDs created based on the report data will have the membership of the object removed from the Smart Patch group to which the directory ID corresponds. All IDs in the set of IDs constructed from the report data that were not found in the set of IDs of current member objects of the Smart Patch group will have its corresponding AAD Device Objects added as members of the Smart Patch group. 

The membership of devices in Smart Patch groups can be limited by the user by accessing the Deployment Automation page and selecting a group to use as the Device Scope group for Smart Patching. This is explained in the section “Limiting Smart Patching group memberships to a set of devices”. 

Assignment of Smart Patch groups to the Public Patch Application 

When a Smart Patch-enabled deployment schedule is assigned to an application, the final deployment phase of this Deployment Schedule will update the assignment of the Patch Application in Intune to contain a group assignment target, targeting the Smart Patch group. 

Note that the Phase Accumulative setting on a deployment schedule is ignored when Smart Patching is used, so that only the Smart Patch group is assigned. This may be subject to change in the future. 

The first time a deployment schedule with Smart Patching enabled is assigned to an application a Smart Patch group will be created immediately; this group will remain empty until the automation described in the preceding section is triggered. This means that it can take between 4 and 8 hours before the memberships are in place. 

The Smart patch group is named in the following format: 

EA_SmartPatch_{DeployableItemType}_{OS_Type}_{ApplicationName}_ ({Application_ID}) _{GroupNumber} 

Where {DeployableItemType} can be one of Public, Private, MSP, Public Configuration Set, MSP Configuration Set, Private Configuration Set. In practice you will for the time being only see “Public”, as Configuration Sets do not support patching yet, and only public applications have their detection names configured as of now. 

{OS_Type} is one of “Windows” or “MacOs”. Currently you will only see Windows here as macOS is not supported by Smart Patching yet. 

{ApplicationName} will be the name of the application as seen in the Endpoint Admin repository that corresponds to the {DeployableItemType}. Custom names from subscription level metadata are not taken into account. 

{Application_ID} is Endpoint Admin’s internal ID of the application from our database. We put this there in case several applications in the same repository happen to share the same name, as doing so avoids a potential name collision, as it is in practice possible to maintain several versions of the same app in each repository with the same name. 

{GroupNumber} is a number that has been speculatively added to make it easier to perform phased/ring rollouts of patch applications in the future. Currently it is always “001”. 

Smart Patching – Simple Practical Example 

In this section, a step-by-step guide with commentary is provided to showcase and explain how Smart Patching is used in a concrete example. 

Step	Description	Context
1.	In order to begin with Smart Patching, we either need to create or find an existing Deployment Schedule that we want to add Smart Patching to. If you already have one, you can skip this part.
1. a	Navigate to the Deployment Schedules list in the sidebar of the Endpoint Admin Portal
1.b	Decision – Click on an existing schedule that you want to enable Smart Patching for (1.d) or create a new schedule (1.c)
1.c	Click the “New Schedule”-button
1.d	Click an existing schedule by pressing on its row
1.e	Enter a name for your new deployment schedule in the name text field in the top left.
1.f	On the right-hand side of the page below the “New phase”-button you will see the “Smart Patching”-toggle. Toggle this on now.
1.g	If you created a new schedule, you would see that three default patch phases were added. For a simple patching setup where the patch of an application is not rolled out in phases, these should be removed. Click the Remove button for each of the three phases. Ensure that Smart Patching has been toggled before attempting this, as otherwise you will not be able to remove the last phase as the UI enforces that there is at least one phase in a deployment schedule, in our case this should be the “Smart Patch Phase”.
1.h	Ensure that the “Offset”-setting of the Smart Patch Phase is set to 0, so that deployment of new patches will occur as soon as they are available. The “Offset”-setting really means offset in days from when the deployment schedule is triggered until the deployment phase starts. By default, the deployment schedule starts when a new version of the application is available.
1.i	Ensure the trigger for the deployment schedule is set to “On new version”, otherwse change this using the “Set”-button.
1.j	Finally, press the save button.
2.	Now we’re going to assign the deployment schedule to an application.  However, if you edited an existing deployment schedule and it was assigned to one or more applications, then you can skip step 2 and go to step 3. At this point applications that were already using the existing schedule that you updated, will have its Smart Patch groups created if they did not exist.  Continuing with step 2: Go to the public repository for windows applications by clicking on the navigation link in the sidebar under the section “public repository”.
2.a	Find a Windows application that you wish to assign the Smart Patching deployment schedule to. The application must have its base app deployed and not have any patching or deployment operation underway.
2.b	Click on the application row somewhere where there isn’t text or another UI element to open up the application sidebar, then click the “Actions”-button to open its dropdown menu, and click the “Assign deployment schedule”-button
2.c	Search for the “Smart Patch” deployment schedule or whichever name you gave it. Select the schedule in the list by clicking on it, and then click the “Select”-button in the modal.
2.d	Now the deployment schedule should be assigned on the application.
3.	Now we move on to starting the deployment schedule to deploy the patch app. If you don’t do this step, then the changes we have just made will first take effect the next time a new version of the app is uploaded to our systems.
3.a	Open the “Actions”-dropdown in the “General”-tab in the application sidebar of the application that has the deployment schedule you’ve enabled Smart Patching for. Find “Start deployment schedule”-button in the dropdown entries and click on it. You will be asked to confirm this action after clicking.
3.b	Now the patch app deployment will start shortly. The process of uploading the patch app to Intune can take a few minutes depending on the size of the application.  While we wait for this, we can open the “Assignments”-tab in the application sidebar and view the currently active assignments, and which deployment schedule phases are pending.
3.c	When the patch app deployment is complete, you will be able to see that the Smart Patch Group has been added as a Required assignment.
3.d	You can view the members of the Smart Patch Group and other details by clicking “Show more” on the assignment pictured in the last step, and then clicking on either the name or the ID of the group
3.e	You will now see the members tab of the Entra ID group inside our Entra ID group management module.  If this is the first time a Smart Patch deployment schedule has been applied to the application, then this list should be empty, and will be populated in at most 8 hours.
3.f	After at most 8 hours all devices that have the application installed should appear as members in the group.  In this test system only 1 device has it installed.  You can speed this process up yourself by adding the devices that you think already have the software installed to the group. The system will automatically clean up those that it determined not to have the application anyway as part of the Smart Patching automation that is completed at least every 8th hour.

Auto Smart Patching

Auto Smart Patching is a setting that can be enabled on an entire subscription, or as an MSP, you can set whether it should be enabled or disabled by default for all your managed subscriptions. By default, this is disabled / not active. 

Enabling Auto Smart Patching causes all currently deployed applications that do not already have a deployment schedule set to be evaluated for Smart Patching eligibility.  

When enabled, all eligible applications that do not have a deployment schedule will have a Smart Patching deployment schedule set on them that is automatically created by the Auto Smart Patching module, this deployment schedule is named “Auto Smart Patch” when created, it can however be renamed by the end user. The applications that had the automatically created deployment schedule set on them will then have their deployment schedule started to begin the process of patch application deployment to managed endpoints governed by Microsoft Intune. When this happens, Smart Patching proceeds for each application as described in the preceding Smart Patching section. 

Furthermore, when this feature is enabled, the end-user will always be asked if they would like to deploy an application using Smart Patching as the deployment strategy when they manually deploy an application. The user can choose whether they would like to only deploy the base application, or whether they would like to employ the Smart Patching deployment strategy, which then assigns the Auto Smart Patch deployment schedule to the application, deploys the patch application and then the base application. 

Configuring Auto Smart Patching

To configure Auto Smart Patching, you must access the Deployment Automation page, which can be found in the Application Management section of the Endpoint Admin Portal sidebar. 

From this page, you will see multiple settings. As an MSP, you will both be able to see the defaults set on an MSP-level and what the current settings are for the subscription you are currently viewing. 

To enable the setting for all managed subscriptions that are set to inherit this setting from the MSP you must switch the toggle on displayed below: 

By default, all managed subscriptions are set to inherit from the MSP, but this setting can also be controlled individually for each subscription. 

If you are not an MSP user or if you wish to control this on the subscription-level you can use the dropdown select menu outlined in red below to control the setting value for Auto Smart Patching: 

Auto Smart Patching Application Exclusions

As seen in the two images above, there is a button called “Manage App Exclusions”. Clicking this button will display a table of all applications in each repository which can be set to be excluded from automation. This excludes them both from Auto Smart Patching and Auto Deployment. Auto Deployment is documented later in this document. 

Exclusions can be configured both on the MSP-level and the subscription level. 

Setting an application to be excluded from automation means that they won’t be considered eligible for Auto Smart Patching or Auto Deployment. If the Auto Smart Patch deployment schedule is already assigned to an application that you have just excluded, it will be unassigned, and the patch application instance of the application will be deleted. 

Pictured above is the current list of apps that can be excluded and their exclusion state seen from an MSP’s point of view. Excluded apps will always appear at the top of the list. In the picture, iTunes is marked as excluded as it has the checkbox in the first column checked off. 

Having an application set as excluded does not prevent a user from manually assigning the Auto Smart Patch deployment schedule to an application

Limiting Smart Patching group memberships to a set of devices

For the purposes of preventing some devices from being patched or for testing Smart Patching with a limited set of devices, it is possible to configure a set of groups from which the devices considered for being added to a Smart Patching group will be based on, this can be done by clicking the “Manage Device Scope”-button.  

Pictured above is the modal UI presented when the aforementioned button is clicked. You can search for any group in the Entra ID tenant that is connected to your current subscription and select a group to use as the device scope group or remove the currently selected group used as the device scope. In this example, the group “CN-VM-GRP” is selected. This means that only devices within the group CN-VM-GRP will be eligible to be in any Smart Patch group. If you already have devices in existing Smart Patch groups, then these will be removed when the automation runs every 4^th or 8^th hour if they are not in the selected device scope group. 

This group can be a group with nested groups in it containing devices as transitive membership API calls are used to collect all the IDs of the members.