How to manage Windows Updates with Microsoft Intune? Updates are one of the most important things when considering a secure environment. But how can we mange Windows Updates with Microsoft Intune? The solution is Windows Update Rings which is directly integrated in the Microsoft Intune environment. In this blog post we will show you everything you need to know.
Table of Contents
What are we going to set up?
In this blog post we will show you, How to manage Windows Updates with Microsoft Intune. We will have a look at the Update rings for Windows 10 and later in Microsoft Intune. We will have a look at all the settings you can configure and what the best practices are. We will also enable the Windows Update reporting so you have some good analytics directly in Intune. The reporting is not enabled on default so we need to enable it manually. After this blog post you will fully understand the Windows Update ring settings in Microsoft Intune.
- Step 1: Create a Windows Update Ring.
In this step we will create the update ring in Microsoft Intune and configure the settings. - Step 2: Activate Windows Update Reporting [optional]
This optional step will allow you to have a good basic reporting of the Windows updates. You dont need to enable it, but I recommend it. - Step 3: Additional Pop-up configurations [optional]
For the End User Experience its sometimes difficult to schedule the device restart actions. In this step we will generate a new configuration policy which will leave the restart popup visible until the user has choosen an action. This will force the user to choose, when the update should be installed on the device.
How to manage Windows Updates with Microsoft Intune
Create a windows update policy
In this step we are going to create a new configuration profile in Microsoft Intune and deploy the policy to the users or devices. Just follow these steps:
- Go to intune.microsoft.com
- Click on Devices
- Click on Windows
- Click on Update rings for Windows 10 and later
- Click on Create profile
- Give it a meaningful name and description.
Some Ideas for good Names are for example Update Ring Production or Update Ring Early Bird. - Click on Next
Now we can configure the settings for the update ring. In the table you will find a short description what the settings are. I will configure the settings which I found are the most useful.
| Microsoft Product updates | Control whether to scan for updates from Microsoft Update. Microsoft products are for example the Microsoft Office application or OneDrive. |
| Windows drivers | Allow or block driver updates via Windows Update. When enabled the drivers are updated with the windows updates. |
| Quality update deferral period (days) | Defer quality updates for the specified number of days. After how many days after release should the update get available on the device. For the normal Ring I mostly use 3 days. |
| Feature update deferral period (days) | Feature update deferral period (days). After how many days after release should the update get available on the device. For the Feature updates I mostly use 7 days. |
| Upgrade Windows 10 devices to Latest Windows 11 release | Set to upgrade eligible Windows 10 devices to latest Windows 11 release. When set to No Windows 10 devices wont upgrade to Windows 11. |
| Set feature update uninstall period (2 - 60 days) | Set feature update uninstall period. How long should the Feature update be uninstallable. |
| Enable pre-release builds | Enable pre-release builds if you want devices to be on a Windows Insider channel. Enabling pre-release builds will cause devices to reboot. For coorporate environments I suggest not to use insider preview build. |
For the User experience settings there are a lot of options. I will show you the one, which I found is the best option.
| Automatic update behavior | Manage automatic update behavior to scan, download, and install updates. For me the Reset to default worked really well. This will use the default Windows Update process without any Maintenance time etc. |
| Option to pause Windows updates | An option in Windows Update that, when enabled, lets device users pause updates for a certain number of days. I dont want that users can pause the update so I will Disable this option. |
| Option to check for Windows updates | A button in Windows Update that, when enabled, lets device users check the update service for updates. |
| Change notification update level | Specifies what Windows Update notifications users see. Here just choose the default Windows Update notification. |
| Use deadline settings | The deadline refers to the amount of days after the deferral period that the computer has to install the update. At the end of the deadline, the update will auto-install. |
| Deadline for feature updates | After how many days will the update be auto-installed. |
| Deadline for qualitiy updates | After how many days will the update be auto-installed. |
| Grace period | The grace period is how many days after the deadline that the machine has to reboot before it will get force rebooted. |
| Auto reboot before deadline | Should the device auto reboot before it will reach the deadline. I always turn this off. |
On the Assignments tab assign the policy to your group, users or devices. On the Review + create tab click on Create. Congrats, you have successfully deployed an update ring.
On the Update Ring Policy you will find the different options you can perform. You will also see some basic reports which are not really helpful. Because of that, we will enable some additional reporting in the next step.
Activate Windows Update Reporting [optional]
To enable some advanced reporting we will create a new configuration policy with the Windows health monitoring settings. Just follow the steps below.
- Go to intune.microsoft.com
- Click on Devices
- Click on Windows
- Click on Configuration profiles
- Click on Create and New Policy
- Choose Windows 10 and later for Platform
- Choose Templates for Profile type
- Search for the Windows health monitoring and click on Create.
IMPORTANT: If you already have the Windows health monitoring configuration you will need to edit the existent policy. Otherwise you will get a conflict error. Its mostly called Intune data collection policy.
- Give it a meaningful name and description.
- Click on Next
On the configuration settings:
- Enable the Health monitoring
- In the scope choose Windows Updates
Now it can take some time until the reports are ready. You can find the Reports under Reports > Windows Updates.
Additional Pop-up configurations [optional]
Sometimes we had some problems with the automatic restarts. Some users just never restarted their device until it did it automatically. So I found a pretty neat setting which will leave the restart needed popup on the bottem right until the user has choosen an option. When a restart is required to install updates, the auto-restart required notification is displayed. By default, the notification is automatically dismissed after 25 seconds. With this setting we will change this.
To set this policy we will create a new configuration policy with the Restart Required Notification Dismissal.
- Go to intune.microsoft.com
- Click on Devices
- Click on Windows
- Click on Configuration profiles
- Click on Create and New Policy
- Choose Windows 10 and later for Platform
- Choose Settings catalog for Profile type
- Give it a meaningful name and description.
- Click on Next
On the configuration settings do the following:
- Click on Add settings
- Search for Auto Restart Required Notification Dismissal
- Choose Windows Update for Business
- Enable Auto Restart Required Notification Dismissal
- Set the setting to User Dismissal.
- Define your Scope if applicable and click on Next
- On the Assignments tab assign the Policy to a Group or to All User/Devices
- Click on Next
- And Review + Create the Policy
Conclusion
In this blog post, we have shown you How to manage Windows Updates with Microsoft Intune. We have created a new Windows update ring and configured the settings. In an optional step we enabled the additional reporting and had a look at the Auto Restart Required Notification Dismissal. We hope you found this blog post helpful and informative. If you have any questions or feedback, please leave a comment below. Thank you for reading!
I love your site. I could see it becoming the source for up-to-date Intune instructions. Thanks for the work you put into it.
I was wondering if you had Fiddler installation instructions. We have found some but they are from 2021.