OS Windows update policy
Patch management with Intune fits into Microsoft's modern client management concept, where cloud-based solutions replace traditional tools like WSUS.
Last updated
Patch management with Intune fits into Microsoft's modern client management concept, where cloud-based solutions replace traditional tools like WSUS.
Last updated
Managing updates with Microsoft Intune provides a cloud-based patch management solution that provides administrators with many configuration settings to meet their individual business needs. Using Microsoft Windows Update for Business, administrators don't need to approve updates individually, as they do with the WSUS server, albeit with arguably less granularity and control provided with the WSUS server.
Intune enables configuration of update settings on devices. On Windows 10 specifically, you configure these settings using Windows 10 update rings in Microsoft Intune. These settings control the updates that are downloaded and when.
Intune supports the following Windows 10 servicing channels:
Semi-Annual Channel
Semi-Annual Channel (targeted) for 1809 and below
Windows Insider – Fast
Windows Insider – Slow
Windows Insider – Release Preview
Once the policy settings are applied to the Intune-enrolled devices, they do not reach out to a WSUS server somewhere; rather, they contact Windows Update directly. This architecture frees remote clients from the network constraints of the legacy WSUS architecture required for managing Windows Updates.
Navigate to Microsoft Endpoint Manager admin center > Devices. Choose Update rings for Windows 10 and later. Then choose Create profile.
Create a new update ring for Windows 10 in Endpoint Manager devices
It launches the Create Update ring for Windows 10 and later wizard. On the Basics screen, choose a name for the new update ring profile.
Choose a name for the update ring profile
Next, the update ring settings screen is where all the "heavy lifting" happens from an update perspective and where you want to give the most attention to the settings configured for your organization. Here, you configure the following settings:
Servicing channel
Microsoft product updates
Windows drivers
Quality update deferral period (days)
Feature update deferral period (days)
Set feature update uninstall period (2–60 days)
Automatic update behavior
Active hours start
Active hours end
Restart checks
Option to pause Windows updates
Option to check for Windows updates
Require user approval to dismiss restart notification
Remind user prior to required auto-restart with dismissible reminder (hours)
Remind user prior to required auto-restart with permanent reminder (minutes)
Change notification update level
Use deadline settings
Deadline for feature updates
Deadline for quality updates
Grace period
Auto reboot before deadline
Microsoft is continually adding new features and capabilities to the update screen to define the settings that affect the Windows update behavior as configured using Intune.
Configure the update ring settings
Now you need to assign the profile. Here, you select the groups, users, or devices to which you want to apply the policy. Most organizations will undoubtedly have multiple Windows 10 update ring profiles configured that closely align with what they have today with the WSUS server or another update solution.
Configure the assignments for the Windows update ring policy
Finally, review and create the new update policy.
Review and create the new Windows update ring policy using Microsoft Intune
If all settings are correct, click Create to finish the wizard and create the new update profile.
