In this post I will be discussing on how to deploy updates using Intune. We can deploy Windows Updates and Feature updates using Intune as a modern device management which ensures all latest updates are installed on Windows 10 / Windows 11 devices. Update rings can be used within Intune portal to deploy the updates with deferral policies ie. to defer / delay the updates based upon specific needs.
What is Update Ring
Update ring feature in Intune allows us to control the behaviour of when patches are made available and controls the user experience. We can set when the patches are going to be available after release. We can also define deadline for the updates to get installed forcefully after specific days. Apart from that Grace period can also be used to control restart behaviour once deadline is passed which allows users to take action as they will get the notification related to restart behaviour and if not done, it will restart the device based upon the setting we have specified.
Update Ring also gives ability to allow / block Microsoft Product updates and Windows drivers. There are heaps of settings available for controlling the automatic update behavior.
Creating Windows Update Ring means creating Windows Update for Business deferral policies (WUfB). This policy will deploy the latest updates to the device, it doesn’t allow ability to select a specific patch unlike Windows Server Update Services (WSUS) / SCCM configured with SUP using WSUS.
This is a modern approach of installing the updates on the device as they will be more recent without missing any updates. This is what modern device management mentions to have to latest critical / quality updates hence by reducing vulnerability for the device.
The basics will remain same for installing the updates. Once patch is offered and ready to install, Windows Update agent kicks in for the installation and performs the task.
Different methods to deploy Windows Update for Business policies
WUfB policies can be deployed in different ways:
- Through Intune using Update rings for Windows 10 and later feature
- Through Group Policy
- Through Configuration Manager / SCCM
This post is focused on deploying updates through Intune only.
Benefits of Windows Update for Business deferral policies
To be precise, following are the benefits of using WUfB deferral policies:
- Devices can be patched which can apply following updates:
- Feature updates
- Quality updates
- Driver updates
- Microsoft product updates
- Offering: You can control the offering ie. when the updates are made available to device
- Defer updates: You can defer the updates upto a specific days. This is applicable for both Quality update and feature update.
- Upgrade to Windows 11: You can also upgrade the device to latest Windows 11 release.
- Pause update ring: You can pause the update ring, you can control this behavior separately for Quality update and feature update. Once paused, it will stay there for 35 days. You have option to resume or extend. This can help in scenarios if patches have caused some issue and you need to stop it at the earliest.
- Uninstall updates: Update ring allows to uninstall patches as well on installed devices which can be useful to revert to previous state.
- Control user experience: Update ring is not about selecting a patch but about providing user experience and behaviour on how the patch will be installed along with few notifications. You can control deadline to install update and grace period to restart the device behaviour giving ample of time and toast notifications sent by Intune policies so as users can take action well on time or else device will automatically install and restart based upon date / time notification specified to user.
Create Update Ring for Windows 10 and later
Under Basics page, provide name as “Windows 10” and click Next.
Under Update ring settings you will be seeing multiple sections to control update installation and experience behaviour such as:
- Update settings
- User experience settings
Under Update settings specify:
- Microsoft product updates: Allow
Once selected, not only windows update but also Microsoft product updates will get apply
- Windows drivers: Allow
This behaviour controls whether you want to deploy Windows drivers or not.
- Quality update deferral period (days): 3
Valid range is between 0 and 30
- Feature update deferral period (days): 180
Valid range is between 0 and 365
- Upgrade Windows 10 devices to Latest Windows 11 release: No
Select “Yes” only when you are ready for upgrading to Windows 11, consider licensing as well.
- Set feature update uninstall period (2-60 days): 30
Specify days for how long the uninstallation folder should say which can be used to revert to old Operating System
- Enable pre-release builds: Not Configured
- Select pre-release Channel: Not selected
Under User experience settings specify:
- Automatic update behavior: Auto install at maintenance time
- Active hours start: 8 AM
- Active hours end: 5 PM
- Restart Checks: Allow
- Option to pause Windows updates: Enable
- Option to check for Windows updates: Enable
- Change notification update level: Use the default Windows Update notifications
- Use deadline settings: Allow
- Deadline for feature updates: 3
Valid range is between 2 and 30
- Deadline for quality updates: 3
Valid range is between 2 and 30
- Grace period: 2
Valid range is between 0 and 7
- Auto reboot before deadline: No
For detailed explanation, check how to control Windows update restart behaviour using Intune.
Under Scope tags page, click Next.
Under Assignments page, add the group and click Next.
Under Review + create page, verify the settings and click Create.
Verify Windows Update for business policy on Windows 10 device
Login to targeted Windows 10 device. Once sync is completed, Windows update policy will be targeted using Intune.
Click on Start menu and go to Update & Security. We can see message “Some settings are managed by your organization” lets check that. Click on View configured update policies.
Under Policies set on your device, we can see intune policies getting applied with the name showing Mobile Device Management.
The registry keys applied via Intune MDM authority will be saved under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update
Once the WUfB policy is applied, Windows update wil get installed and you will get notification “Your organization requires your device to restart in x days“