With Intune you can manage windows 10 updates using Windows update for Business. This is a free service that is available for Windows 10 Pro, Enterprise and Education editions (Enterprise LTSC is not supported). The service will deploy updates automatically without the need for approving individual updates. This will make it easy to manage Windows 10 updates with Intune.
In Intune there are two policy types to manage Windows 10 updates with Intune.
- Windows 10 update rings (version 1607 or later)
- Windows 10 feature updates (version 1709 or later)
Windows 10 update rings
Using “Windows 10 update rings” you configure the update settings and the user experience. For example you can configure the deferral period of updates, but also if the devices will recieve Microsoft product updates and Windows drivers. The user experience contains settings like when devices are updated (update behaviour), but also what the user may control for example: pause or check for updates. You can configure multiple update rings for TAP purposes. There is also an option to pause update (feature and quality) deployment up till 35 days.
Windows 10 feature updates (preview)
You can use “Windows 10 feature updates” to freeze the feature update which is deployed on devices within your organization to a specific version. This is a big difference with update rings where you can only defer updates for specific time from release. Another difference is that you can only control feature updates and the feature version will stay in effect for the duration of the policy (unlike pausing in update rings). You can configure multiple feature update configurations for TAP purposes.
Important: To use Feature updates with update rings you need to configure the feature update deferral period to 0 days. Otherwise the update ring will overrule the Windows 10 feature updates.
Setup Update deployment
In this guide I will show how to setup update deployment with an update ring and lock the feature update. We will first start with the update ring to configure the update settings.
1. Go to “Devices” -> “Windows 10 update rings” or press here. Select “+ Create profile” to setup a new update ring.
2. Enter a recognizable name for the update ring and press “Next”
3. First we are going to configure the “Update Settings”
|Servicing Channel||Microsoft advices to use Semi-Annual for broad deployment and Insider for testing.|
|Microsoft product updates||allow or block scan for app updates from Microsoft Update|
|Windows drivers||allow or block scan for Windows update driver during updates|
|Quality update deferral||The deferral time in days from release (Patch Tuesday – second Tuesday of the month)|
|Feature update deferral||The deferral time in days from release date. Enter 0 to use “Windows 10 feature updates” or install feature update on release.|
|Feature update uninstall||Configure a time after which feature updates can’t be uninstalled. After this time the previous update bits are removed from the device.|
4. Now we are going to configure the “User Experience Settings”. I want to make sure that updates will be installed and that users do not have to respond to install updates.
|Automatic update behavior||Configure the way updates are installed|
|active hours start||Configure the starte of active hours (or end maintenance time)|
|active hours end||Configure the end of active hours. (or start maintenance time)|
|Restart checks||Checks for Battery level, presentation mode, user presence before restart device.|
|Option to pause Windows updates||Allow users to pause feature and quality updates for 7 days|
|Option to check for Windows updates||Allow users to check updates, only offered updates that reached deferal time. Don’t set to disable and specify notify download (The user will not be able to downoad the update.)|
|Require user approval to dismiss restart notification||Set to no to disable required user action before restart.|
|Remind user prior to required auto-restart (dismissable)||Reminder which can be dismissed by user. Adviced setting: 4 hours|
|Remind user prior to required auto-restart (permanent)||Permanent reminder which can’t be dismissed by user. Adviced setting: 15 minutes|
|change notification update level||Configure notifications displayed to user. Adviced setting: Turn off when using kiosk, otherwise use default|
|use deadline settings||Enable to deploy updates within specific time|
|deadline for feature updates||Amount of days before Feature update is installed automatically|
|deadline for quality updates||Amount of days before Quality update is installed automatically|
|grace period||Amount of days after deadline before restart will be performed automatically. (mau e|
|Auto reboot before deadline||Set to yes the device will try to restart outside active hours before deadline. Set to no to ensure a user is available before reboot.|
5. Set the scope tags for the policy and press “next”.
6. Assign the policy to a group of devices and press “Next.
7. Press “Create” to create the update ring.
8. Go to “Devices” -> “Windows 10 feature updates” or press here. Select “+ Create profile” to setup a new feature update profile.
9. Enter a name and select the feature update version you want to freeze.
10. Set the scope tags for the policy and press “next”.
11. Assign the policy to a group of devices and press “Next.
12. Press “Create” to create the feature update profile.
A great advantage of Intune is the ability to monitor the deployment status of updates and also the update status of a device. When you select the created update ring you can monitor the current status of the policy. For example the device status, this will show the deployment status of a policy.
or the “End user update status” this will show the Quality update & feature update version, but also the update status. This will display if there are any pending updates.
See this great Ignite video presented by Aria Carley and Dune Desormeaux for more information.
Please let me how do you force push out a single update using Microsoft Intune
At the moment there is not a build in feature to do that using Microsoft Intune. But a new capability has been announce on Ignite 2021 called “Expediting Quality Updates”. At this moment a powershell script is the only option. You can use the “PSWindowsUpdate” module to deploy a specific update using “
Get-WindowsUpdate -KBArticleID KB****** -Install“. Before you use this option you will probably have to temporary change the Quality update deferral period of the machine, otherwise you may not see the Windows update you want to deploy. Don’t forget to change this back to the original setting once the installation is completed. You can check if this is necessary by checking the list of available updates “