Mago.io
  • Welcome to Mago Knowledge Base!
  • Prerequisites setup
    • Hardware, OS and Software Requirements
      • Multiple Display supported Scenarios
      • How to enable Bluetooth BLE (proximity) for BYOD Features
    • Network Requirements
    • Wireless Display
      • I am unable to see Miracast (AirServer) as a destination to mirror to
      • Fixing Miracast Issue with some Wifi Chipsets
    • MS Teams best practices
      • (optional) Disabling Chat in Teams accounts
    • Zoom best practices
    • System Hardening Best Practices
    • How to Create a Room Resource for Calendar Events
      • Google Workspace
      • Microsoft 365
        • Setup a room resource
        • Configure a Room resource
    • OS Updates, Drivers & firmware
      • OS Windows update policy
      • Update policy for Drivers and Firmware (Intune)
      • Mago Room Update
  • Installing Mago Room
    • Installation steps overview
      • ✍️Pre-requisites checklist
      • 1️⃣Install and configure Windows 10/11 OS
      • 2️⃣Install and configure Mago Room
        • Getting Mago Room
        • Installing Mago Room
          • Deploy Mago Room with Software Distribution (Silent Install)
        • First Configuration (Wizard)
        • Advanced Settings
      • 3️⃣Post-installation checklist
  • Cloud Management & Analytics Console
    • How to Create an IT Admin User Account and Manage Mago Room and Licenses
    • Adding a Room in the Valarea Management Console
    • Using the Mago Room ADMIN Console
      • Rooms List
      • How to Create Groups and Tags
      • How to create Policies
      • How to Assign Policies
      • Create and Schedule a Task
    • Analytics Console
  • FAQ
    • Frequently Asked Question
      • Mago OAuth scopes and permissions explained
        • Mago Room OAuth scopes
        • Mago Workspace App OAuth scopes
      • Important Configuration Files
      • Antivirus & Firewall exceptions
      • Installing Mago Room on existing Room systems (MTR or Zoom room hardware)
  • Videos for training
    • Videos for training
  • Mago Essential
    • Setup Guide
      • Requirements
      • Hardware installation
      • First configuration
  • TECH DOCS
    • 🛡️Security White Paper
      • Introduction
      • Reliability
      • Application Security
      • Mago Room Security
      • On-Cloud / On-Premise Deployment Security
      • Encryption
      • Vulnerability Management
      • Mago Information Security
      • Physical Security
      • Conclusion
    • ℹ️Dec 14, 2021 | Vulnerability Statement | Log4j
    • 📄Privacy Policy
    • 📱Mago Workspace for Android - Data safety
  • Support
    • Mago Helpdesk and Support
Powered by GitBook
On this page
  1. Prerequisites setup
  2. OS Updates, Drivers & firmware

OS Windows update policy

Patch management with Intune fits into Microsoft's modern client management concept, where cloud-based solutions replace traditional tools like WSUS.

PreviousOS Updates, Drivers & firmwareNextUpdate policy for Drivers and Firmware (Intune)

Last updated 2 years ago

Managing updates with Microsoft Intune provides a cloud-based patch management solution that provides administrators with many configuration settings to meet their individual business needs. Using Microsoft Windows Update for Business, administrators don't need to approve updates individually, as they do with the WSUS server, albeit with arguably less granularity and control provided with the WSUS server.

Intune enables configuration of update settings on devices. On Windows 10 specifically, you configure these settings using Windows 10 update rings in Microsoft Intune. These settings control the updates that are downloaded and when.

Intune supports the following Windows 10 servicing channels:

  • Semi-Annual Channel

  • Semi-Annual Channel (targeted) for 1809 and below

  • Windows Insider – Fast

  • Windows Insider – Slow

  • Windows Insider – Release Preview

Once the policy settings are applied to the Intune-enrolled devices, they do not reach out to a WSUS server somewhere; rather, they contact Windows Update directly. This architecture frees remote clients from the network constraints of the legacy WSUS architecture required for managing Windows Updates.

Configuring a Windows 10 update ring

Navigate to Microsoft Endpoint Manager admin center > Devices. Choose Update rings for Windows 10 and later. Then choose Create profile.

Create a new update ring for Windows 10 in Endpoint Manager devices

It launches the Create Update ring for Windows 10 and later wizard. On the Basics screen, choose a name for the new update ring profile.

Choose a name for the update ring profile

Next, the update ring settings screen is where all the "heavy lifting" happens from an update perspective and where you want to give the most attention to the settings configured for your organization. Here, you configure the following settings:

  • Servicing channel

  • Microsoft product updates

  • Windows drivers

  • Quality update deferral period (days)

  • Feature update deferral period (days)

  • Set feature update uninstall period (2–60 days)

  • Automatic update behavior

    • Active hours start

    • Active hours end

  • Restart checks

  • Option to pause Windows updates

  • Option to check for Windows updates

  • Require user approval to dismiss restart notification

  • Remind user prior to required auto-restart with dismissible reminder (hours)

  • Remind user prior to required auto-restart with permanent reminder (minutes)

    • Change notification update level

  • Use deadline settings

    • Deadline for feature updates

    • Deadline for quality updates

    • Grace period

    • Auto reboot before deadline

Microsoft is continually adding new features and capabilities to the update screen to define the settings that affect the Windows update behavior as configured using Intune.

Configure the update ring settings

Now you need to assign the profile. Here, you select the groups, users, or devices to which you want to apply the policy. Most organizations will undoubtedly have multiple Windows 10 update ring profiles configured that closely align with what they have today with the WSUS server or another update solution.

Configure the assignments for the Windows update ring policy

Finally, review and create the new update policy.

Review and create the new Windows update ring policy using Microsoft Intune

If all settings are correct, click Create to finish the wizard and create the new update profile.

^