Update like a boss with Intune in an Enterprise Environment

The purpose of the blog post is to inform you how to rollout updates in an enterprise environment with Intune. What is Windows update for Business, share my update strategy, how to configure that strategy in the Intune/Endpoint manager portal and how to assign these update rings, and what are the next steps after configuring the update rings.

Today’s world security is more important than ever and staying up to date plays a key role in keeping a secure environment. Windows Update for Business is a service that can be configure within Intune to make sure your updates are installed. Windows update for Business automatically deploys Windows updates, feature updates and driver updates to your devices without the need of manually approving the updates as in the past with WSUS.

Note. In this particular blog post, I’m only going to use Update Rings for Windows 10 and later.

Requirements:

  • Microsoft Intune license
  • Azure P1 license (required for dynamic user groups)
  • Windows 10 Professional, Enterprise or Education operating system
  • Intune MDM managed devices
  • Azure Dynamic Device/User groups
  • Azure Static Device/User groups

What is Windows For Business?

Windows Update for Business enables IT administrators, to keep the Windows client devices in their organization up to date with the latest security defenses and Windows features, by directly connecting these systems to the Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when devices are updated.

Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization because the Pilot users knows that they are pilot and they will be the first group that receive all the updates and features but that it can also cause problems. The non pilot users know that they only receive updates that are tested and do not cause any problems.

Let’s start by taking a look in the Intune Portal. I will open the Update for Business blade.

Intune Portal Update ring for Windows 10 and later

There are different types of updates. I will highlight two of the available update options:

  • Quality  updates
    Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates.
  • Feature updates (Windows 10 20H1/20H2/21H1)
    Previously referred to as “upgrades”, feature updates contain not only security and quality revisions but also significant feature additions and changes. Feature updates are released as soon as they become available.

Source: Link to official Microsoft Documentation about Windows Update for Business

Our Update Strategy

The most important thing for a successful side story is to come up with a good strategy. An enterprise environment will have a different strategy than an environment with 10 devices.

For an Enterprise environment, I always use the following strategy as a baseline and finetune it on the customer’s requirements. I use this strategy for the following reasons

  • Updates will be installed within two weeks
  • Updates are tested before starting rollout to the end-users
  • When an update causes a problem then the update ring can become paused
  • Minimum business impact
  • Set and forget thought because the Azure Dynamic Device/User Groups
  • It is a scalable solution

Update Strategy:

  • Grace period between the different rings;
  • Update channel;
  • 5 Update rings;
    • Test, a few IT people only
    • Pilot, Few people of different departments and levels, so the pilot represent the entire enterprise environment
    • 3 Production rings
Rings
Intune Portal Overview Update Rings

Creating Windows 10 update Rings

Update settings

Setting nameTestPilotProduction 1Production 2Production 3
Microsoft product updatesAllowAllowAllowAllowAllow
Windows driversAllowAllowAllowAllowAllow
Quality update deferral period (days)035710
Feature update deferral period (days)035710
Upgrade Windows 10 devices to Latest Windows 11 releaseNoNoNoNoNo
Set feature update uninstall period (2 – 60 days)3030303030
Enable pre-release builds
Not ConfiguredNot ConfiguredNot ConfiguredNot ConfiguredNot Configured

User Experience settings

Setting nameTestPilotProduction 1Production 2Production 3
Automatic update behavior Auto install at maintenance timeAuto install at maintenance timeAuto install at maintenance timeAuto install at maintenance timeAuto install at maintenance time
Active hours start8 AM8 AM8 AM8 AM8 AM
Active hours end5 PM5 PM5 PM5 PM5 PM
Restart checksAllowAllowAllowAllowAllow
Option to pause Windows updatesDisableDisableDisableDisableDisable
Option to check for Windows updatesEnableEnableEnableEnableEnable
Change notification update levelUse the default Windows Update notificationsUse the default Windows Update notificationsUse the default Windows Update notificationsUse the default Windows Update notificationsUse the default Windows Update notifications

Deadline settings

Setting nameTestPilotProduction 1Production 2Production 3
Use deadline settingsAllowAllowAllowAllowAllow
Deadline for feature updates22222
Deadline for quality updates22222
Grace period11111
Auto reboot before deadlineyesyesyesyesyes

Results:

Update Ring Pilot

Assignment Windows 10 Update ring to a group

After the creation of the update rings, I have to assign the update ring to a group otherwise they will not be applied to any device or user. For users/devices that are part of the test and pilot, I usually use static groups.

For the test group I normally use the IT Admin devices or the IT admins, so they can test the update before it will be applied to the pilot users. For the pilot group, you could (in my opinion, you need to) include users or devices from other departments. For the other (production) devices/users, I will use automatically populated device/user groups.

Check out this blog post on how these automatically populated groups are built up.

Note. When you decide to assign the update rings to a device group, the end user have to login twice during an AutoPilot Enrollement. Because of having the update ring assigned to a Device group, will results that the device go trough the update checks during the enrollment, and if any update requires a reboot, then you will be prompted for a second login due the the user credentials being revoked when the device reboots, when the enrollment resumes you are prompt to Authenticate again to connect back to Azure/ Intune to continue the remaining steps of the enrollment.

End-user experience

That’s all, the update rings are configured and assigned to the device groups. Let’s check the end-user Experience on a Windows 10 device.

Windows Settings -> Update & Security -> Windows update

Windows 10 managed updates

Windows Settings -> Update & Security -> Windows update -> View configured update policies

Windows 10 Configured update settings

Deadline notification pop-up

Windows 10 update Deadline notification

Next steps

More information

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.