In this post, I would like to share information & configuration of Windows 10 updates in Microsoft Endpoint Manager (Intune). As an administrator, one of the tasks is to patch the windows machines regularly to keep it up to date. Patching interval depends on the organization where some needs monthly patching (organization highly focussed on security) and some quarterly. In a traditional environment, one of the most common services used to achieve this task is SCCM and other products like Ivanti, etc.
Organization adopted to Microsoft cloud technologies can utilize Endpoint Manager (Intune) to patch the windows machines. We can configure Windows update for Business policies to patch using Intune. Before we go into the configuration, we need to understand about the quality updates and feature updates.
- Quality Updates: These updates are nothing but the monthly updates which has the fixes & improvements for the Windows existing version. Unlike other products like SCCM, we wouldn’t be able to select the KB’s, instead it’s a single cumulative patch which consists of required fixes, security, and critical updates which makes it easier for the deployment
- Feature Updates: These are new features to the Windows, like one build to another build
We will now see the steps involved in creating the profile for patching the Windows 10 devices,
- Navigate to Microsoft Endpoint Manager admin centre -> Devices -> Windows -> Update rings for Windows 10 and later -> Create Profile
- Provide the basic details like Name and description and click on Next
- Below are the Update rings settings
- Microsoft Product Updates: This setting is used to control app updates
- Windows drivers: This is one of the interesting features, if it is set to allow, then it automatically downloads and updates the drives based on the model. Unlike SCCM where we must create driver packages, this can be done easily by setting it to Allow
- Quality update deferral period (days): As we know, monthly patches are released second Tuesday of every month. Using this setting, we can defer by the days specified here. For instance, if the patch is released on Tuesday and we would like to patch it on Friday, then we can set it to 3 days
- Feature update deferral period (days): when Microsoft releases the new build, using this setting we can defer the number of days to update the devices
- Upgrade Windows 10 devices to Latest Windows 11 release: As name suggests, by allowing this, devices eligible for the upgrade will get upgraded to the newer windows 11
- Set feature update uninstall period: This is helpful, in case if there are any issues with the feature and if you would like to uninstall and rollback
- Enable pre-release builds: Enable if you want devices to be on a Windows Insider channel
So far, we have seen the update ring settings for Windows 10 & later. Next, we will see the User experience settings.
- You can configure the automatic updates behaviour with the different options available based on your organization needs. For instance, configuring maintenance time, restart schedule, etc
- Additionally, users can check, pause updates if enabled
- You can also configure deadline for the updates to be installed
Once these configurations are done, you can click on Next and assign it to the groups or all users or all devices. Finally, you can review the selection and create the profile for Update rings for Windows 10 & later.
Feature updates for Windows 10 and later (Preview): By configuring this, we can make the devices remain in the supported version. This helps to all the devices in the same build that is configure in the profile. You can learn more on the pre-requisites, limitations, combined with update rings here.
Quality updates for Windows 10 and later (Preview): Using this, we can expedite the install of the most recent Windows 10/11 security updates as quickly as possible on devices. In scenarios where devices need to be complaint asap, this policy can be used. For more information, kindly check here
I hope this post helps to configure the Windows updates using Microsoft Endpoint Manager (Intune).