Enhancing Your IT Infrastructure with Microsoft Intune #Episode 10
Richard Rex J
Senior Associate/Consultant at PwC | Ex- IBM, Kyndryl and Accenture | EUC | SCCM & Intune Expert | Windows Autopilot | Application Packaging | PowerShell Automation | Endpoint Security | Driving IT Efficiency & Security
Topic Covered: Windows Update for Business using Microsoft Intune and Types
Hello LinkedIn Audience, I hope everything is okay with you. This post will go over the Windows update for business service offering and its various types.
What is Windows update for Business and why it is important?
By directly connecting the Windows systems to the Windows Update service, IT administrators can maintain the Windows client devices in their organization up to date with the newest security defenses and Windows features.
You can customize the Windows Update for Business settings that regulate how and when devices are updated using Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune.
What are the types of updates managed via WUfB?
You can primarily manage four types of updates from Microsoft Intune
These updates can be deployed for Windows 10 and Later device from Microsoft Intune Admin Center.
Login to Microsoft Intune Admin Center -> Devices -> Windows -> Windows Policies.
Here you can see the following Update policies for the Windows devices.
Note:
Though the Update rings policy can deploy all kinds of updates for your end user devices, you can’t have the granular control like other three updates policies can offer.
Now, let’s talk about each polices in detail.
📢 Update Rings for Windows 10 and Later:
Update rings are like the central configuration section, and it has capabilities to configure the following Updates:
You might ask, if this is the central configuration section, why do I need other update policies? I hear you! Hold your horses 😜
As mentioned above the Update ring section is meant to provide defer period for the Quality and Feature Updates. By configuring this you have the control on when to deploy the update.
Below is the screenshot on how the settings look like. Let’s decode each setting, shall we?
But please note that, these configurations should be designed based on your or Your client’s requirements.
✔ Updates Settings:
🛠 Microsoft Product Updates
Default Configuration: Allow
Allow – This will scan the Microsoft application updates and will deploy the patches for the devices from Microsoft Update.
Block - If you wish not to scan for Microsoft application updates feel free to select block.
🛠 Windows Drivers
Default Configuration: Allow
Allow – This will scan the Drivers of the device and will deploy the updates for the devices from Microsoft Update.
Block - Prevents the scan for drivers.
🛠 Quality Updates deferral Period (Days)
Default Configuration: 0 Days
You can Defer Quality Updates for a number of days ranging from 0 to 30 days. This term is in addition to any deferral period included in the service channel you choose. When Microsoft releases the update, the deferral period begins.
I've set 5 as the deferral period here. That being said, I'm deferring Microsoft's updates from being sent to end-user devices for 5 days, and the updates will be deployed after 5 days of the initial Microsoft release.
Quality Updates often include fixes and enhancements to existing Windows functionality.
🛠 Feature Updates deferral Period (Days)
Default Configuration: 0 Days
You can Defer Feature Updates for the specified number of days ranging from 0 to 365 days. This term is in addition to any deferral period included in the service channel you choose. When Microsoft releases the update, the deferral period begins.
I've set 90 days as the deferral time here. That being said, I'm deferring Microsoft's updates from being sent to end-user devices for 90 days, and the updates will be applied after 5 days following the initial Microsoft release.
This will only be relevant to devices with Windows editions 1709 and higher.
Microsoft normally releases feature updates once a year to update your device with new features.
🛠 Upgrade Windows 10 device to latest Windows 11 release
Default Configuration: No
If you set this option to Yes, it will deploy the Windows 11 Upgrade package to Windows 10 devices and convert them to the most recent release of Windows 11.
🛠 Set feature update uninstall period (2 - 60 days)
Default Configuration: 10 Days
This is the setting that allows you to specify a time period in days after which the feature update cannot be uninstalled.
Assume you've set this option to 20 days and assigned this update ring to a group of test users. The updates were successfully implemented, and the test users did not report any issues for the next 20 days.
After 30 days, customers claim that they are experiencing troubles with their gadget. However, because you set the removal period to 20 days and it has passed, you cannot uninstall or revert to the prior build. Why? When you install the new feature update, it will create a folder named Window.old in your C drive, which contains your previous build data.
According to the setup, this folder will be deleted from the device after 20 days. As a result, before proceeding, you must ensure that all stakeholders are fully informed.
🛠 Enable pre-release builds:
Default Configuration: Not configured.
If you do not configure this parameter, your update channel will be Retail Channel by default.
If you enable this option, your update channel will be Windows Insider - Release Preview by default.
Devices that have this option enabled will reboot and move to the pre-release build that you specify.
To know more about these channels, I have provided you the Microsoft links.
✔ User Experience Settings
🛠 Automatic Update Behavior
Default Configuration: Auto install at maintenance time.
We have six configurations here and let’s go one by one. But before Explaining these options I’d like to explain other settings so that we can co-relate them with the configurations.
🛠 Active Hours Start
Default Configuration: 8 AM
Specify a start time for suppressing restarts due to update installations.
🛠 Active Hours End
Default Configuration: 5PM
Specify an end time for suppressing reboots due to update installations.
🛠 Restart checks (EDU Restart)
Default Configuration: Allow
o Battery capacity = 40%
o is the user being online.
o is the device in Presentation mode, Full screen mode.
o is the device in Phone call state or in Game mode.
🛠 Option to pause Windows updates:
Default Configuration: Enable
Enable - Allow device users to pause the installation of an update for a certain number of days.
Disable - Prevent device users from pausing the installation of an update.
But as a best practice, we’ll disable this option so that we will have granular control over the updates.
🛠 Option to check for Windows updates.
Default Configuration: Enable
Enable - Allow device users to use Windows Update scan to find updates.
Disable - Prevent device users from accessing the Windows Update scan.
🛠 Change notification Update level.
Recommended by LinkedIn
Default Configuration: Use the default Windows Update notifications.
This specifies what level of windows update notifications user see. This doesn’t affect how the updates are downloaded and installed.
These are the settings that are available:
When set to Allow, you can configure the following settings for deadlines:
🛠 Deadline for feature updates and Quality Updates
Default Configuration: Not configured:
You can give the deadline for 0 to 30 days.
The deadline behavior is nothing more than when you deploy updates to the machine, it will wait for the number of days specified. For example, if you set the deadline to two days, the device will wait for two days based on the Automatic update behavior and then restart the device after two days at maintenance time.
🛠 Grace Period
Default Configuration: Not configured.
You can configure the Grace period from 0 to 7 Days. Grace period is nothing more than extending the deadline period. Let’s say you have configured the deadline period of 2 days and Grace period of 3 days; the configuration will pause the restart of the device for the total of 5 days and will restart the device automatically after maintenance period.
🛠 Auto reboot before deadline
Default Configuration: Yes
Specifies whether the device should auto reboot before deadline.
These are all the configuration you can do, now let's circle back to the Automatic restart behavior settings.
🛠 Notify Download
When the updates are deployed to the users this setting will notify the end users. The end users should choose to download and install the updates. It’s like you are deploying the Patches nu making it available to your end users from SCCM.
But what if my end users never bother to install the updates?
In this situation, enabling the deadline settings will be our life saver. But remember If the user does nothing, the update will not be installed until the deadline you set is met.
🛠 Auto install at maintenance time
The updates will be downloaded and installed automatically during Automatic Maintenance when the device isn’t in use or running on battery power.
When the restart is required, the users are prompted to restart for up to seven days and then restart is forced by default if no deadline behavior is configured.
To furthermore control the restart in this case we can configure the Active hours start and end to suppress the reboot during the work hours.
🛠 Auto install and restart at maintenance time
When the device is not in use or on battery power, updates are downloaded automatically and installed during Automatic Maintenance. When a restart is required, the device restarts when it is not in use, as is the case with unmanaged devices.
This option can restart a device automatically after the update installs without specifying the deadline. The Active hours parameters are not described in Windows Update settings, but they are used by Intune to specify a time period during which automatic restarts are disabled.
🛠 Auto install and restart at scheduled time
Set a day and time for installation. If no time is given, installation occurs every day at 3 a.m., followed by a 15-minute countdown to restart. Users who are logged in can pause and restart the countdown.
When set to Auto install and restart at scheduled time, you can configure the following settings:
o Automatic behavior frequency - Use this setting to schedule when updates are installed, including the week, the day, and the time. Default: Every week
o Scheduled install day - Specify on which day of the week you want updates to install. Default: Any Day
o Scheduled install time - Specify the time of day when you want updates to install. Default: 3 AM
Note: Because of power policies, user absence, and other factors, the device may not complete the installation within the provided time frame. In this scenario, it will not attempt installation again until the given time or a deadline you specify is reached.
🛠 Auto install and reboot without end-user control
When the device is not in use or on battery power, updates are downloaded automatically and installed during Automatic Maintenance. When a restart is required, the device restarts even when it is not in use. This option makes the control pane for the end user read-only.
🛠 Reset to default.
When you reset to default, Windows will automatically determine the device's active hours. Using the active hours, Windows determines the optimum time to apply updates and restarts the system after the updates have been installed. Typically, 8 AM to 5 PM will be set.
These are all the configurations you can play with and based on the stack holder's requirement you can configure multiple rings like this say for example one for Test users, one for Production deployment.
📢 Feature Updates for Windows 10 and Later
This policy is only intended for the deployment of feature updates for Windows 10/11. The following advantages come with the use of this policy:
o Make update available as soon as possible – Self explanatory.
o Make update available on a specific date – you can specify the date of when the update needs to be deployed.
o Make update available gradually.
This allows you to choose a date for first and final group availability, as well as the days between groups. Depending on the days chosen and the days between group settings, targeted devices are divided into multiple groups. This setting allows you to gradually install feature updates on various groups by leaving a gap between installations.
🛠 Difference between the update ring and Feature Update policy
As you can see, the feature update policy has certain advantages. This option is not available in Update ring policy. The update ring does not have the ability to regulate the availability of updates on a given day, nor does it have a progressive rollout option.
The update ring cannot also lock the feature update to a specific version. Devices will be updated to the most recent release based on the deferral period.
Note: You can use the Feature update policy with Update Ring. Make sure to provide the deferral period of 0 days in the Update ring policy to avoid the interference.
🛠 Pre-requisites for Feature Update
📢 Quality Updates for Windows 10 and Later
This strategy is sometimes referred to as expedite updating. This policy's goal is to distribute out-of-band upgrades. This protocol should be followed when an organization needs to deploy an update on an urgent basis for a zero-day vulnerability.
When this policy is targeted, it ignores the update ring policy's deferral time and installs the most recent update that was selected with the policy.
When you establish this policy, you can choose one of the three most recent modifications. It also features a setting to reset the device, with a maximum value of two days. With this setting, we force the devices to become compliant as soon as possible.
Note that the quality update policy and the update ring policy can be used in tandem because each serves a distinct purpose. Quality update policy should not be utilized in place of update ring policy because it serves a specific purpose. We must continue to rely on update ring policy for user experience and other parameters.
🛠 Pre-requisites for Quality Update:
📢Driver updates for Windows 10 and later
Although driver updates can be deployed via the update ring, this functionality elevates the driver update experience.
This policy includes new features such as automatic driver update approval and manual driver update approval. When we create the drive update policy, we will see two options:
🛠 Manually approve and deploy driver updates:
Once the device transmits the inventory of required drivers, we have granular control over which drivers to give to the devices.
We can certainly choose one over the other, allowing us to deploy fewer drivers depending solely on our needs and preferences. This also allows us to choose when to deploy the update; we can choose a future date for driver installation to begin.
🛠 Automatically approve all recommended driver updates
This option automatically approves all recommended drivers and installs them on the devices without our intervention.
Be cautious when selecting this option; it can be a decent option for the POC or UAT phase of pilot testing but using it for all devices can cause problems because we never know how new drivers will perform.
It's a bummer that I don't have a device to show you right now so i searched google for the pictures and have inserted it in this article, this is what happens in the backend. Assign this to a Group, and once deployed, let Intune do its thing; depending on the number of devices in your infrastructure, this could take anywhere from 24 hours to a few days.
When the results are ready, the devices will start sending inventory back to the Intune. Under Driver updates for Windows 10 and later, we may see our policies defined along with Drivers to examine.
Under the Dell Drivers policy, you can see three drives to examine, and we can click on them to get more information.
We can see Driver name, Manufacturer, Driver class, and Release date under Recommended drivers. This view also displays relevant gadgets.
When we click on a specific update, we have the option to approve or deny it. Once approved, I have the option of selecting a date for this driver to be made available on the device. Driver will be given and installed on this precise day.
You may be asking why the other drivers list differs from the Recommended drivers list. This information is often provided by the seller, who specifies the driver's category. Usually, the most recently released drivers appear first in the list of other drivers.
Once this driver has been available for a few weeks/months, it may be moved to the recommended drivers list. This is my take on what might be going on in the backend.
There may be a few old drivers listed under Other drivers that the vendor did not consider making recommended drivers, but rather optional drivers to install.
Once deployed to the Group, you can extract the compliance data from intune by Navigating to
Reports > Windows updates > Reports > Windows Driver Update Report
Click on the driver you need to pull the data from and export it as CSV.
📢Conclusion:
That’s its folks, this is how you do your patch management using Microsoft Intune. Hope this information is useful. Will meet you again with new topic on Microsoft Intune. Until then stay tuned and happy learning 😊
IT Consultant - Client Management - Bechtle AG
11moCould you tell me if the search for updates button, if I'm not disabling it, bypass the deferral period?