Update like a boss with Intune in an Enterprise Environment
The purpose of the blog post is to inform you how to rollout updates in an enterprise environment with Intune. What is Windows update for Business, share my update strategy, how to configure that strategy in the Intune/Endpoint manager portal and how to assign these update rings, and what are the next steps after configuring the update rings.
Today’s world security is more important than ever and staying up to date plays a key role in keeping a secure environment. Windows Update for Business is a service that can be configure within Intune to make sure your updates are installed. Windows update for Business automatically deploys Windows updates, feature updates and driver updates to your devices without the need of manually approving the updates as in the past with WSUS.
Note. In this particular blog post, I’m only going to use Update Rings for Windows 10 and later.
Requirements:
What is Windows For Business?
Windows Update for Business enables IT administrators, to keep the Windows client devices in their organization up to date with the latest security defenses and Windows features, by directly connecting these systems to the Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when devices are updated.
Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization because the Pilot users knows that they are pilot and they will be the first group that receive all the updates and features but that it can also cause problems. The non pilot users know that they only receive updates that are tested and do not cause any problems.
Let’s start by taking a look in the Intune Portal. I will open the Update for Business blade.
There are different types of updates. I will highlight two of the available update options:
- Quality updates
Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates.
- Feature updates (Windows 10 20H1/20H2/21H1)
Previously referred to as “upgrades”, feature updates contain not only security and quality revisions but also significant feature additions and changes. Feature updates are released as soon as they become available.
Source: Link to official Microsoft Documentation about Windows Update for Business
Our Update Strategy
The most important thing for a successful side story is to come up with a good strategy. An enterprise environment will have a different strategy than an environment with 10 devices.
For an Enterprise environment, I always use the following strategy as a baseline and finetune it on the customer’s requirements. I use this strategy for the following reasons
- Updates will be installed within two weeks
- Updates are tested before starting rollout to the end-users
- When an update causes a problem then the update ring can become paused
- Minimum business impact
- Set and forget thought because the Azure Dynamic Device/User Groups
- It is a scalable solution
Update Strategy:
- Grace period between the different rings;
- Update channel;
- 5 Update rings;
- Test, a few IT people only
- Pilot, Few people of different departments and levels, so the pilot represent the entire enterprise environment
- 3 Production rings
Creating Windows 10 update Rings
- Open Microsoft endpoint manager
- In the menu selecht Devices
- Under Devices, select Windows and select Windows 10 update rings
Or use the following link Update ring for Windows 10 and later – Microsoft Endpoint Manager admin center - Click on Create Profile
- Provide a policy name, I use the following name “Update Ring XX ”
- Set a description, so that everyone with access to the portal knows the purpose of the update ring
- Click on Next and configure the update ring settings
Update settings
| Setting name | Test | Pilot | Production 1 | Production 2 | Production 3 |
|---|---|---|---|---|---|
| Microsoft product updates | Allow | Allow | Allow | Allow | Allow |
| Windows drivers | Allow | Allow | Allow | Allow | Allow |
| Quality update deferral period (days) | 0 | 3 | 5 | 7 | 10 |
| Feature update deferral period (days) | 0 | 3 | 5 | 7 | 10 |
| Upgrade Windows 10 devices to Latest Windows 11 release | No | No | No | No | No |
| Set feature update uninstall period (2 – 60 days) | 30 | 30 | 30 | 30 | 30 |
| Enable pre-release builds | Not Configured | Not Configured | Not Configured | Not Configured | Not Configured |
User Experience settings
| Setting name | Test | Pilot | Production 1 | Production 2 | Production 3 |
|---|---|---|---|---|---|
| Automatic update behavior | Auto install at maintenance time | Auto install at maintenance time | Auto install at maintenance time | Auto install at maintenance time | Auto install at maintenance time |
| Active hours start | 8 AM | 8 AM | 8 AM | 8 AM | 8 AM |
| Active hours end | 5 PM | 5 PM | 5 PM | 5 PM | 5 PM |
| Restart checks | Allow | Allow | Allow | Allow | Allow |
| Option to pause Windows updates | Disable | Disable | Disable | Disable | Disable |
| Option to check for Windows updates | Enable | Enable | Enable | Enable | Enable |
| Change notification update level | Use the default Windows Update notifications | Use the default Windows Update notifications | Use the default Windows Update notifications | Use the default Windows Update notifications | Use the default Windows Update notifications |
Deadline settings
| Setting name | Test | Pilot | Production 1 | Production 2 | Production 3 |
|---|---|---|---|---|---|
| Use deadline settings | Allow | Allow | Allow | Allow | Allow |
| Deadline for feature updates | 2 | 2 | 2 | 2 | 2 |
| Deadline for quality updates | 2 | 2 | 2 | 2 | 2 |
| Grace period | 1 | 1 | 1 | 1 | 1 |
| Auto reboot before deadline | yes | yes | yes | yes | yes |
Results:
Assignment Windows 10 Update ring to a group
After the creation of the update rings, I have to assign the update ring to a group otherwise they will not be applied to any device or user. For users/devices that are part of the test and pilot, I usually use static groups.
For the test group I normally use the IT Admin devices or the IT admins, so they can test the update before it will be applied to the pilot users. For the pilot group, you could (in my opinion, you need to) include users or devices from other departments. For the other (production) devices/users, I will use automatically populated device/user groups.
Check out this blog post on how these automatically populated groups are built up.
Note. When you decide to assign the update rings to a device group, the end user have to login twice during an AutoPilot Enrollement. Because of having the update ring assigned to a Device group, will results that the device go trough the update checks during the enrollment, and if any update requires a reboot, then you will be prompted for a second login due the the user credentials being revoked when the device reboots, when the enrollment resumes you are prompt to Authenticate again to connect back to Azure/ Intune to continue the remaining steps of the enrollment.
End-user experience
That’s all, the update rings are configured and assigned to the device groups. Let’s check the end-user Experience on a Windows 10 device.
Windows Settings -> Update & Security -> Windows update
Windows Settings -> Update & Security -> Windows update -> View configured update policies
Deadline notification pop-up
Next steps
- Set up delivery optimization
Set up Delivery Optimization – Windows Deployment | Microsoft Docs - Configure reporting
Use Update Compliance reports for Windows Updates in Microsoft Intune – Microsoft Intune | Microsoft Docs
Hi! My name is René Laas. I have passion and enthusiasm for the Microsoft 365 Cloud. I am based in the Netherlands.
Rami Al-zayat 
Albert Stoynov
Andrea De Santis
Is there an easy way to report on this through Intune. I’ve been reading about Workbooks but we have Manager’s interested in success/failure rates.
Hi Brandon, there are some built-in reports available within Intune, you can find those reports in the device blade and select monitor. otherwise you should use Log analytics and a workbook or Power Bi