Top 6 things to consider when configuring Windows Updates in Intune
Introduction
With Intune you have the option to control most parts of Windows Updates for Win10/11 devices. It's very useful to gain control over the behavior of Windows Updates.
Options
The Winodws Updates in Intune have the following sections:
- Windows Update Rings
- Feature Updates
- Quality Updates
- Driver Updates
In this article, we are only going to cover Update Rings. The others will be covered in future blog posts.
Update Rings
With Update Rings you can control the behavior of Windows Updates. Yes, you read that right, Intune does not store nor distribute Winodws Updates itself. It's not the modern WSUS server. Intune just stores and pushes the configuration of what settings you desire, that are all available in the Windows Update App.
Navigate to Intune -> Devices -> Update Rings and create e new profile.
Top important settings:
- Windows drivers - Allows or Disables Windows Updates to install or not Drivers for the system
- Quality update deferral period (days) - The number of days to defer (delay) Quality updates (Security updates) which are generally quite often. I like having security updates rather quicker than later, but I believe 2 days of delay is safe. In case Microsoft pushes out an update that hasn't been tested enough, you have 2 days to react.
- Feature update deferral period (days) - Feature Updates are those that carry new features in Windows. These come more rarely. Stuff like new buttons, new animations etc. These are less important, thus I've delayed them by 5 days.
- Upgrade Windows 10 devices to Latest Windows 11 release - - This one is self-explanatory, you either let ppl upgrade to win11 or not. My only say here is that you should aim for a homogenous parc.
- Deadline for xxxxx - So after a update is released, you can choose to implement a "deadline" for the users to install.
- Grace period - The Grace period starts after the Deadline period. This means the number of days until the auto-reboot will occur.
For more details, the doc , and pt 2.
"While update rings can deploy to both device and user groups, consider using only device groups when you also use feature updates."
Review & Create! Don't forget to Test, Pilot, then deploy to prod.
Once deployed, don't forget you have options to Pause it, Extend the deferals directly from the overview:
Conclusion:
It's not hard to gain control over Windows Updates for your Win10/11 devices if you have them enrolled in Intune. You just need to understand what a few settings mean and align them to the needs of your organization.