OS Windows update policy

Patch management with Intune fits into Microsoft's modern client management concept, where cloud-based solutions replace traditional tools like WSUS.

Managing updates with Microsoft Intune provides a cloud-based patch management solution that provides administrators with many configuration settings to meet their individual business needs. Using Microsoft Windows Update for Business, administrators don't need to approve updates individually, as they do with the WSUS server, albeit with arguably less granularity and control provided with the WSUS server.

Intune enables configuration of update settings on devices. On Windows 10 specifically, you configure these settings using Windows 10 update rings in Microsoft Intune. These settings control the updates that are downloaded and when.

Intune supports the following Windows 10 servicing channels:

  • Semi-Annual Channel

  • Semi-Annual Channel (targeted) for 1809 and below

  • Windows Insider – Fast

  • Windows Insider – Slow

  • Windows Insider – Release Preview

Once the policy settings are applied to the Intune-enrolled devices, they do not reach out to a WSUS server somewhere; rather, they contact Windows Update directly. This architecture frees remote clients from the network constraints of the legacy WSUS architecture required for managing Windows Updates.

Configuring a Windows 10 update ring ^

Navigate to Microsoft Endpoint Manager admin center > Devices. Choose Update rings for Windows 10 and later. Then choose Create profile.

Create a new update ring for Windows 10 in Endpoint Manager devices

It launches the Create Update ring for Windows 10 and later wizard. On the Basics screen, choose a name for the new update ring profile.

Choose a name for the update ring profile

Next, the update ring settings screen is where all the "heavy lifting" happens from an update perspective and where you want to give the most attention to the settings configured for your organization. Here, you configure the following settings:

  • Servicing channel

  • Microsoft product updates

  • Windows drivers

  • Quality update deferral period (days)

  • Feature update deferral period (days)

  • Set feature update uninstall period (2–60 days)

  • Automatic update behavior

    • Active hours start

    • Active hours end

  • Restart checks

  • Option to pause Windows updates

  • Option to check for Windows updates

  • Require user approval to dismiss restart notification

  • Remind user prior to required auto-restart with dismissible reminder (hours)

  • Remind user prior to required auto-restart with permanent reminder (minutes)

    • Change notification update level

  • Use deadline settings

    • Deadline for feature updates

    • Deadline for quality updates

    • Grace period

    • Auto reboot before deadline

Microsoft is continually adding new features and capabilities to the update screen to define the settings that affect the Windows update behavior as configured using Intune.

Configure the update ring settings

Now you need to assign the profile. Here, you select the groups, users, or devices to which you want to apply the policy. Most organizations will undoubtedly have multiple Windows 10 update ring profiles configured that closely align with what they have today with the WSUS server or another update solution.

Configure the assignments for the Windows update ring policy

Finally, review and create the new update policy.

Review and create the new Windows update ring policy using Microsoft Intune

If all settings are correct, click Create to finish the wizard and create the new update profile.

Last updated