- Automation for Active Directory, Microsoft 365, and Google Workspace with ManageEngine ADManager Plus - Tue, Sep 20 2022
- New features in Windows 11 22H2 for professional users - Tue, Sep 13 2022
- Recover Active Directory domain controllers with nonauthoritative restore - Wed, Sep 7 2022
Administrators are accustomed to managing Windows updates using the Windows Server Update Services (WSUS) server on-premises. However, WSUS has many shortcomings, one of which is connectivity for remote clients, which may now be located anywhere globally with the distributed workforce.
Managing updates with Microsoft Intune provides a cloud-based patch management solution that provides administrators with many configuration settings to meet their individual business needs. Using Microsoft Windows Update for Business, administrators don't need to approve updates individually, as they do with the WSUS server, albeit with arguably less granularity and control provided with the WSUS server.
Intune enables configuration of update settings on devices. On Windows 10 specifically, you configure these settings using Windows 10 update rings in Microsoft Intune. These settings control the updates that are downloaded and when.
Intune supports the following Windows 10 servicing channels:
- Semi-Annual Channel
- Semi-Annual Channel (targeted) for 1809 and below
- Windows Insider – Fast
- Windows Insider – Slow
- Windows Insider – Release Preview
Once the policy settings are applied to the Intune-enrolled devices, they do not reach out to a WSUS server somewhere; rather, they contact Windows Update directly. This architecture frees remote clients from the network constraints of the legacy WSUS architecture required for managing Windows Updates.
Configuring a Windows 10 update ring ^
Navigate to Microsoft Endpoint Manager admin center > Devices. Choose Update rings for Windows 10 and later. Then choose Create profile.
It launches the Create Update ring for Windows 10 and later wizard. On the Basics screen, choose a name for the new update ring profile.
Next, the update ring settings screen is where all the "heavy lifting" happens from an update perspective and where you want to give the most attention to the settings configured for your organization. Here, you configure the following settings:
- Servicing channel
- Microsoft product updates
- Windows drivers
- Quality update deferral period (days)
- Feature update deferral period (days)
- Set feature update uninstall period (2–60 days)
- Automatic update behavior
- Active hours start
- Active hours end
- Restart checks
- Option to pause Windows updates
- Option to check for Windows updates
- Require user approval to dismiss restart notification
- Remind user prior to required auto-restart with dismissible reminder (hours)
- Remind user prior to required auto-restart with permanent reminder (minutes)
- Change notification update level
- Use deadline settings
- Deadline for feature updates
- Deadline for quality updates
- Grace period
- Auto reboot before deadline
Microsoft is continually adding new features and capabilities to the update screen to define the settings that affect the Windows update behavior as configured using Intune.
Now you need to assign the profile. Here, you select the groups, users, or devices to which you want to apply the policy. Most organizations will undoubtedly have multiple Windows 10 update ring profiles configured that closely align with what they have today with the WSUS server or another update solution.
Finally, review and create the new update policy.
If all settings are correct, click Create to finish the wizard and create the new update profile.
Patch management with Intune fits into Microsoft's modern client management concept, where cloud-based solutions replace traditional tools like WSUS. The advantage of this approach becomes apparent when users are not just working in the office but on the road or at home. Admins can then ensure that security-critical updates are installed quickly.
Subscribe to 4sysops newsletter!
Update management with Intune essentially configures profiles that determine when a PC receives which update directly from Windows Update.