Microsoft Intune - update Windows devices

Windows Update Options

Traditional Windows Server Update Services (WSUS)

The traditional solution for businesses was/is to use the Windows Server Update Services (WSUS) service, ideally together with Configuration Manager (MECM). The client connects to the local WSUS server to check for updates and can download the data from the MECM DP. We determine (approve) the individual updates to be installed on a group of devices. So we have granular options, but we're missing some features offered by WUfB.

Note: WSUS works for both client and server Windows.

Windows Update for Business (WUfB)

For updating Windows devices using Intune, we use the cloud service Windows Update for Business (WUfB), which is available for premium editions of Windows 10/11 (Pro, Enterprise). We perform the configuration of updates on the devices using MDM or Group Policy, which then connect directly to the Windows Update service.

Intune passes the Device ID and other information to the Windows Update service, where the client connects to check for updates (and also passes certain information based on its configuration). Based on this, the service offers the appropriate updates to the client, which then downloads and installs them.

Note: At this time, we can only use it for updating client Windows, not Windows Server.

Windows Update for Business with Intune

Windows Update for Business is free and can be configured using Group Policy.

Intune (or other MDM) provides easier management and more options. So we need an Intune license, the devices must have a supported version and edition of Windows, be registered in Intune, and be (Hybrid) Azure AD joined. Communication to various Microsoft services (primarily Windows Update, for additional features Windows Update for Business Deployment Service, Windows Push Notification Services) must also be available.

Windows Update for Business Deployment Service (WUfB-DS)

• Windows Update for Business deployment service

Microsoft offers additional services that utilize/extend the capabilities of Windows Update for Business.

The first is the Windows Update for Business Deployment Service (WUfB-DS). It is intended for those for whom the Update Rings and postponed updates are not enough. It allows approving and scheduling installations of updates (only for Feature and Driver updates, not for Quality updates). A less pleasant aspect is that it is an API available through Microsoft Graph and related SDKs (including PowerShell). I came across (but didn't test) the Windows Update for Business Deployment Service Web App.

To use WUfB-DS, in addition to the Intune license, we also need a license for the Windows Update for Business deployment service. However, this is usually part of the same license plan as Intune, primarily Microsoft 365 E3, E5, Microsoft 365 Business Premium.

Windows Autopatch

• What is Windows Autopatch?

The second service is Windows Autopatch. It aims to simplify the planning and operation of the update process (Windows, Microsoft 365 Apps for Enterprise, Microsoft Edge, and Microsoft Teams). When the service is activated, four groups and corresponding Update Rings with configuration (Test, First, Fast, Broad) are automatically created.

A Windows Autopatch license is required, which is part of Windows Enterprise E3 (Microsoft 365 E3 and E5).

Windows Update

Update Types

• Feature updates - released annually, add new features and functionality, considered an upgrade
• Quality updates - released monthly (typically the second Tuesday), are classic updates, providing security and other fixes (include security updates, critical updates, servicing stack updates, and driver updates)
• Servicing stack updates - updates the component that directly installs Windows updates
• Driver updates - updates for non-Microsoft device drivers
• Microsoft product updates - updates for other MS products, such as Office (installed using MSI, Click-to-Run installations cannot be updated using Windows Update for Business)

Feature and Quality updates are cumulative from Windows 10 onwards, so they contain all previous updates. Installing the latest update is enough to get all previous fixes.

Servicing Channels

• General Availability Channel - Feature updates are installed as soon as they are released (unless update deferral - Defer - is set)
• Windows Insider Program for Business - contains preview versions of updates that will be part of the next Feature updates, if we want to test them in advance
• Long-term Servicing Channel (LTSC) - intended for special devices that receive Feature updates once every 2 to 3 years, a special version of Windows

Windows Update for Business (WUfB)

• What is Windows Update for Business?
• Manage Windows 10 and Windows 11 software updates in Intune

Windows Update for Business allows administrators to keep devices in the organization up-to-date. It utilizes a direct connection to the Windows Update service. It allows controlling which updates are offered to devices and when they are applied. So we can test on a subset of devices before deploying updates across the entire organization.

Configuring Windows Update

To configure the settings for how and when devices are updated, we can use Group Policy or Microsoft Intune (or another MDM tool). MDM tools use Configuration Service Provider (CSP) policies. Intune also uses Cloud Policies.

We can control the installation of updates and thus influence the end-user experience. Windows Update has built-in intelligence, such as Smart Busy Check (updates are installed when the user is not logged in) and Active Hours.

We can leave automatic download, installation, and restart for update installation and default notifications, or configure them. It is recommended to set a deadline for updates. That is, the number of days from the release of the update by which it must be installed. We can also set a Grace Period by which the restart must be performed.

Note: Windows 10 must be a certain minimum version, generally supported from version 1607. Further changes were made in version 1703.

How Deferring Installation Works

Unlike WSUS, we don't approve individual updates for device groups, but instead set an update deployment strategy. Using Intune, we configure the update settings and deferral of installation. We can prevent the installation of Feature updates, while Quality updates are still installed.

We can defer or pause the installation of updates for a set period of time. We can defer Feature updates for up to 365 days, and Quality updates for 30 days. When deferring, the device won't install updates (they won't be published to it) that were released less than the specified number of days ago.

Note: We can set the pause or deferral of updates using the Group Policy Select when Preview Builds and feature updates are Received and Select when Quality Updates are Received. Or more easily using Intune.

Update Management Policy Types

Intune offers three policies (methods) for managing updates:

• Update rings for Windows 10 and later - a group of settings that configures the installation of updates on devices
• Feature updates for Windows 10 and later - this policy updates Windows to a specific version and then freezes it on that version (until we decide to install a newer version)
• Quality updates for Windows 10 and later - accelerated deployment of a specific Quality update outside of the standard schedule

The basic one is the use of Update Rings, which we always use. We can use it to install all types of updates. The Feature updates and Quality updates policies use the Windows Update for Business Deployment Service, so we need the appropriate license.

For installing Feature updates, we can use the Update Rings policy settings along with update deferral, or the Feature updates policy. It is recommended to use the newer Feature updates feature and not combine the configuration using both options.

Grouping Devices

All policies (configuration profiles) are assigned to groups. The first step is therefore to group the devices (Groups). Intune uses the term rings for the standard deployment of updates. We divide the devices based on the deferral time of update installation. We first deploy updates to a small group of devices to validate quality before rolling them out across the organization (which can be in multiple waves).

Safeguard Holds

• Safeguard holds

Microsoft uses diagnostic data (in the cloud service Windows Update for Business) to identify potential issues with the installation of Feature updates. When it detects that a device is not ready for the update due to a known problem, it sets a Safeguard hold. This then postpones the installation of the Feature update.

Update Rings Policy

• Update rings for Windows 10 and later policy in Intune

The primary way to install Feature and Quality updates (including Microsoft product updates and Windows drivers). We can also use it for upgrading Windows 10 to Windows 11. It is mainly supported for Windows 10/11 Pro and Enterprise. In the case of Windows 10/11 Enterprise LTSC, the features are limited.

How Update Rings Work

The idea of using Update Rings is to divide the devices into several groups and set an increasingly longer delay in installation for them. In the first group/groups, there are only a few test devices. The next one has more devices across different types and use cases, still for testing. Then there can be groups for deployment across the entire organization.

We create several Update Ring profiles (configurations) that we apply to the prepared device groups. In the profiles, we set different deferral of Quality updates installation. We'll manage Feature updates using the new policy type. So here we set the Feature update deferral period (days) value to 0. We also configure the update behavior. Microsoft's description of the possible settings is at Windows update settings. An interesting description is in another location Walkthrough: Use Group Policy to configure Windows Update for Business.

The Update Ring functions as a standard Configuration profile that configures the update settings on the client using CSP. It contains only part of the configurations available for Windows Update for Business. We can look at the device details, where under Device configuration we see the applied policies. We can expand the policy for the Update Ring and see the individual settings.

Configuring Update Rings

• Microsoft Endpoint Manager admin center - Devices - Update rings for Windows 10 and later

We enter the profile name and configure the settings (Update ring settings):

• Update settings
  • Microsoft product updates
  • Windows drivers
  • Quality update deferral period (days)
  • Feature update deferral period (days)
  • Upgrade Windows 10 devices to Latest Windows 11 release
  • Set feature update uninstall period (2 - 60 days)
  • Enable pre-release builds (Servicing channel)

• User experience settings
  • Automatic update behavior
  • Active hours
  • Restart checks
  • Option to pause Windows updates
  • Option to check for Windows updates
  • Change notification update level
  • Deadline for feature or quality updates, Grace period, Auto reboot before deadline

The important thing is that using the deferral setting, we set the delay when the update is published to the client. Subsequently, the client must download, install, and usually also restart. These actions depend on the client's Automatic update behavior setting:

• Notify download - just a notification that updates are available
• Auto install at maintenance time - automatically downloads and installs updates during automatic maintenance (when not in use and not on battery), if a restart is required, the user is prompted for restart for 7 days (then it's forced), the restart can happen automatically (we set the Active hours period when the restart is blocked)
• Auto install and restart at maintenance time - similar to the previous one, but the restart happens automatically when the device is not in use
• Auto install and restart at scheduled time - allows setting the day (we select days and weeks of the month) and time when the installation will occur, followed by a 15-minute countdown and restart (if the device is not turned on, the next attempt at installation is at the next scheduled period, we can solve this by setting a Deadline)
• Auto install and reboot without end-user control - automatically downloads, installs, and restarts when the device is not in use

We assign the profile (Assignments) to a group.

Managing Update Rings

On the created and assigned profile, we can use the following functions (on the Overview page):

• Delete - delete the profile, it will stop applying (enforcing) the settings, but will not change the device configuration where it was applied (the device will retain the update settings the profile made)
• Pause - we can pause to prevent assigned devices from receiving Feature or Quality updates, for a maximum of 35 days
• Resume - resumes updates if they were paused
• Extend - if the Update Ring is paused, it resets the pause duration and thereby extends the pause
• Uninstall - performs an uninstallation (roll back) of the last Feature or Quality update, it is done immediately and can trigger a restart, the function has several limitations that are mentioned in the documentation

Feature Updates Policy

• Feature updates for Windows 10 and later policy in Intune

It allows selecting the Windows Feature update version that will be installed and on which we want the devices to remain. We can choose from the versions that are supported at the time the policy is created. It works together with the Update Rings policies. We can also use it for upgrading Windows 10 to Windows 11.

How Feature Updates Policy Works

When a device receives the assigned policy with a specified version (Feature update), if it is on a lower version, it will perform an upgrade. If it is on a Safeguard hold, the update will not be installed. Likewise, if we pause Feature updates in the Update Ring policy, the installation will not occur. The device will remain on the specified version until we change the policy (unlike the pause in the Update Ring, which can be a maximum of 35 days).

To use the Feature Updates Policy, the Microsoft Account Sign-In Assistant (wlidsvc) service must be running on the client, and the device must have Telemetry enabled at least at the Required diagnostic data (Basic) level.

Configuring Feature Updates Policy

• Microsoft Endpoint Manager admin center - Devices - Feature updates for Windows 10 and later

We enter the profile name and select the Windows Feature update to deploy. We then set the schedule when Windows Update will make the update available to the devices.

Rollout options:

• Make update available as soon as possible - no delay before the update is made available to the device
• Make update available on a specific date - we specify the date when the update will be available at the earliest
• Make update available gradually - gradual availability to group members (Intune will divide it into smaller, equally sized groups), can reduce network load, we specify the date for the first and last group and the number of days between groups

For Gradual rollouts, we can set Intelligent rollouts. This is done by enabling the Allow WUfB Cloud Processing item using the Settings catalog in the System category. Then the subdivision into subgroups is done more intelligently.

Quality Updates Policy

• Expedite Windows quality updates in Microsoft Intune

It allows accelerating the installation of the latest Windows 10/11 security updates. We can leave the standard Update Rings Policy in place and quickly deploy a specific (monthly) update to mitigate a security threat.

Expedited updates are capable of checking for updates on devices more frequently than the standard Windows Update check frequency. We select updates by release date, so we can use them together for different versions of Windows 10. If the device already has this or a newer update, it will not receive the update. In the policy, we set the deadline by which the restart must occur. Until then, the user can manage it, but after the deadline, the restart will occur even during work hours.

Configuring Quality Updates Policy

• Microsoft Endpoint Manager admin center - Devices - Quality updates for Windows 10 and later

We enter the profile name and select the update to be accelerated. We can also set the number of days (0, 1, and 2) by which the restart must occur after the update installation (and it can be forced automatically).

At the time of writing, 3 updates are offered: 2023.03 B Security Updates for Windows 10 and later, 2023.04 B Security Updates for Windows 10 and later, and 2023.05 B Security Updates for Windows 10 and later. The letter B in the name means that it is a standard update released on the second Tuesday of the month.

Monitoring Updates and Reports

• Intune compliance reports for updates
• App and driver compatibility reports for Windows updates
• Windows Update for Business reports

To be able to monitor the results and status of updates, we need to set up Windows Health Monitoring on the devices. This means creating a configuration profile from the Windows health monitoring template, where we enable Health monitoring and set the Scope to Windows updates.

Reports

Intune offers several reports (but we won't get much detail in them) for Windows Update in the Monitor or Reports section.

• Microsoft Endpoint Manager admin center - Devices - Monitor - Per update ring deployment state

The others are for Feature updates or Expedited updates (for the report, a minimum of Windows 10 1903 is required), and are more related to errors:

• Microsoft Endpoint Manager admin center - Devices - Monitor - Feature update failures
• Microsoft Endpoint Manager admin center - Devices - Monitor - Windows Expedited update failures
• Microsoft Endpoint Manager admin center - Reports - Windows updates - Summary and Reports

The reports also include compatibility reports:

• Windows feature update device readiness report - provides information for individual devices about compatibility risks when updating to a selected version of the Windows operating system
• Windows feature update compatibility risks report - a summary overview of the main compatibility risks in the organization for a selected version of the Windows operating system, we can find out which risk affects the most devices

Windows Update for Business Reports

We can deploy/set up the Windows Update for Business reports, which will provide more information about individual updates. They use the Microsoft Azure Azure Log Analytics feature and are available through the Azure Portal. There are no fees (it's part of the Windows license).

The configuration is described in detail in the documentation. We must meet certain prerequisites. Activate (register/add to the subscription) the Windows Update for Business reports within Azure or Azure AD - Enable Windows Update for Business reports. Enable telemetry on the devices - Configuring Microsoft Intune devices for Windows Update for Business reports. After some time, the reports should start appearing (if not, the main thing to check on the clients is that Diagnostic data - Required is enabled).

The reports use an Azure Workbook for visual data representation. We can find them in the Azure Portal - top left menu Monitor - Workbooks. We find and click on Windows Update for Business reports.

Delivery Optimization

• Delivery Optimization settings for Windows devices in Intune
• Delivery Optimization settings in Microsoft Intune
• What is Delivery Optimization?

If we have many clients in the internal network, we could have used Configuration Manager and downloaded updates locally. When we start using updates with Intune, all clients will download updates from the internet. To mitigate the load on the internet line, we can use Delivery Optimization. It uses caching on the clients and downloading from neighbors (Peers). Configuration of this used to be part of the Update Rings.

We set the settings using a configuration profile from the Delivery Optimization template (we can also use the Settings catalog). There are many values we can set. The main one is the download method, which affects whether the download is from computers on the network. We also set the maximum bandwidth usage, caching properties, and Local Server Caching.

Transitioning from Group Policy, WSUS

If we already have some update management in place, most often using WSUS, we're probably configuring the clients using Group Policy. If we start transitioning/testing Intune, we need to be aware of a few things.

Group Policy vs. Intune

If we do the same configuration using Group Policy and Intune, Group Policy takes precedence (wins). This means that the Intune configuration will not be applied if we have GPO applied for update configuration from WSUS. We need to ensure that the Group Policy setting for this area is not used on the device.

In Intune, we can create a configuration profile with the MDMWinsOverGP setting. This is about enabling MDM wins over GP using the Settings catalog in the Control Policy Conflict category. This setting ensures that the Intune configuration is applied and the same Group Policy configuration is blocked. It only applies to policies from the Policy CSP.

If we use GPO to set the Intranet Update Service, MDM wins over GP won't help us. Because the Update Ring won't change this setting, and the updates won't work. So we need to ensure that the GPO with the update configuration is not applied on the device.

On Windows devices, we can see which settings are implemented using Group Policy and which using Mobile Device Management.

• Settings > Update & Security > Windows Update
• if the device is managed by the organization (Some settings are managed by your organization), there will be a link here
• View configured update policies

Settings Using Group Policy

Update configuration in Group Policy is located at the path

Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Update

Several special settings for Windows Update for Business are in the same-named subfolder.

Settings Using Intune Configuration Profile

A large number of items (76) can be configured using the Settings catalog in the Windows Update for Business category. But I'd say not all the settings are here like in Group Policy. Description at Policy CSP - Update.

Migration

Migrating from a local solution to Intune means a new creation and probably some changes. It's good to put together the current update process (if we have it documented, verify the settings). From Group Policy, we can get information about the settings that we can verify on the client to see what values are configured. If we use Configuration Manager, the deployment of updates is managed within it.

Based on the capabilities of Update Rings, we'll prepare a new plan. It's good to start from the original, but we can also make significant changes. We can adjust some special settings using the configuration profile.