Introduction
This guide will provide you with steps to manage and deploy Windows Updates, Feature Updates, and Driver Updates through Microsoft Intune. We will also be able to configure when these updates are set to apply.
This process is to ensure all devices are up to date when it comes to Windows feature and security updates as well as automatically deploy driver updates.
Requirements
- Devices must be enrolled into Microsoft Intune
- Global Administrator or Intune Administrator Role
Windows Quality Updates
Quality updates are frequent updates and mainly include small fixes and security updates.
- Navigate to the Intune admin center and sign-in: https://intune.microsoft.com
- Navigate to Devices > Quality Updates for Windows 10 and later > Create profile
- Create a name and description
- Select which patch to enforce feature updates
- NOTE: this can go back up to three feature updates
- Select when to enforce the update (0-2 days)
- Assign the policy to specific group and select Next
- It is recommended to use a test group prior to applying a new policy to an entire organization
- Review and Create the policy
This is the most enforceable way to apply Windows Feature Updates. Devices will be forced to reboot after the set amount of days if not taken care of by user, even during business hours.
Windows Feature Updates
Feature updates are typically released twice a year and include new functionality and capabilities as well as potential fixes and security updates
- Navigate to the Intune admin center and sign-in: https://intune.microsoft.com
- Navigate to Devices > Feature Updates for Windows 10 and later > Create profile
- Create a name and description for the update policy
- Select which feature update to apply
- NOTE: it is recommended to check the box to allow devices still on Windows 10 to feature update to the latest version
- Select when you wish to make the update available to all users
- Assign the policy to specific group and select Next
- It is recommended to use a test group prior to applying a new policy to an entire organization
- Review and Create the policy
This policy does not force updates unlike the quality update policy. Refer to the next section Windows Update Rings for enforcing Windows Updates
Windows Update Rings
Windows rings specify how and when Windows as a Service updates your Windows 10/11 devices with feature and quality updates.
- Navigate to the Intune admin center and sign-in: https://intune.microsoft.com
- Navigate to Devices > Update rings for Windows 10 and later > Create profile
- Create a name and description for the update ring policy.
- Configure the desired update policies.
- We will allow Windows & Driver updates
- We will only allow users to defer updates for up to 7 days
- We will not allow automatic upgrades from Windows 10 to Windows 11
- We will not allow pre-release builds & updates
- Next we will configure the user experience:
- In this example we set the business hours from 7am-7pm
- Updates are to be automatically installed but a reboot must be performed by the user
- Users have a 7 day period to reboot and apply updates before it is done automatically
- Users will only receive notifications that it is time to reboot
- Assign the policy to specific group and select Next
- It is recommended to use a test group prior to applying a new policy to an entire organization
- Review and Create the policy
Driver Updates
- Navigate to the Intune admin center and sign-in: https://intune.microsoft.com
- Navigate to Devices > Driver updates for Windows 10 and later > Create profile
- Create a name and description
- Choose how you want driver updates to be approved:
- Manually approve: no driver updates will be downloaded and installed unless approved by an administrator in Intune
- Automatic: driver updates are automatically approved based on vendor recommendations – we will select 2 days meaning driver updates must be publicly available for at least 2 days until they are available for download/installation
- Assign the policy to specific group and select Next
- It is recommended to use a test group prior to applying a new policy to an entire organization
- Review and Create the policy
Reporting & Monitoring
To view statistics for individual policies you have created, use the sections above to:
- Navigate to the newly created policy
- Click on the policy
- For the example below, we will be using screenshots from a sample Update Ring policy.
On the Overview tab we can see information such as when the policy was created/last updated as well as some options to pause/resume/uninstall updates:
Navigate to the Properties tab on the left menu.
This will show our policy configuration, group assignments, and tags. All of the settings we previously created are editable after creation.
Under the Device and User Check-in Status tab we can filter and view results of our policy:
For a high level overview of all the devices the policy applied to click into Device Assignment Status. This will give an a list of devices that were successful, failed, or successful with errors (conflict).
To take a deeper dive into devices or users the policy may not be fully successful for, click into the Per Setting Status and locate a specific device or user. This will give us an overview of what exactly went right and what did not when to it comes to specific policy settings.
Additional reports can be found within the Intune admin center under the Reports > Windows Updates tab. This allows us to create custom reports on a specific policy and specific drivers or update packages. Additionally, some additional reports such as Windows feature update compatibility risk are available with license upgrades.
Official Microsoft documentation for Windows Update Reports: https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-reports
Alternate Methods
Specific Windows update packages can be packaged as a Win32 app and deployed to Intune devices. This process can be helpful in troubleshooting specific Windows updates that may have a negative impact on your environment.
Official Microsoft documentation for deploying Windows Update packages: https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-deploy-update-package
Reference
The below website provides additional instructions for utilizing this process.
https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-for-business-configure
Contact Us
If you have questions, would like to leave feedback, or want to discuss another topic, please contact us using one of the methods below. We look forward to speaking with you!
Phone: 314-888-2511
Email: [email protected] or [email protected]
Website: https://covene.com/contact-us/