Configure Windows Updates in Intune
ฝัง
- เผยแพร่เมื่อ 22 ธ.ค. 2024
- In this video, we show one way of configuring Windows Updates using update rings (Beta tester, Validation, and everyone else).
We will in this video create three update rings and deploy Windows 11 22H2 Feature Update.
Very informative video, thanks! One thing I do different and seems to work fine is to put "0" on all feature updates deferral settings inside of each ring, and use the dedicated "Feature Update" section to use the "gradual update" with a set date for beginning and ending. That way, Intune will divide the number of devices needing the update vs the number of days you set and randomize accordingly, and any computer added after this date will get updated. So you would have a ring 0 for testers (IT dept, a few power users) that have are excluded from this feature update policy and are specifically targeted while the rest of the devices will go through the deployment in phases with no interaction on your end as soon as you assign them to the gradual upgrade. Easier to explain with screenshots but TH-cam doesn't allow it :D Also, let's repeat it because I find a ton of people make that mistake: deferral only mean that Windows Update will not look for the update from the date it is made available by MS, it's not a "grace period". In other words, if 21H1 came a year ago, a "200" days deferral is bypassed.
Thanks again Nico, and as always great comment from you, good advice. I should update or do a new video to add in that and some extra thoughts I have about updates in general.
Now that was very helpful. I was doing it wrong, but now I'm doing it right. Thank you!
Thanks a lot Rob for your comment
Nice! The waited video has come.
thanks a lot @Abdirashid Muhammed, usually settings you don't have to setup so many, nearly like set and forget and saw some new settings that wasn't there before when I set it up. I really like the setting to not restart if device is on less than 40% or presenting, that is nice
Thank you for the video! Very clear presentation!
Glad you enjoyed it! Thanks a lot for your comment, that gives me energy to do more videos :)
Beautiful walkthru!
Another Nice video John! Thank you for this!
Thanks a lot for your support Mike :) more is coming :)
Very well explaned!Thanks
thank you very much!
Thank you. This video was very helpful.
Thank you so much for your comment, happy it helped
Great explanation mate!
Thank you so much for your comment!
Great video John . Will have to follow along and try it on my own intune tenant.
Thanks a lot Abdul, I wouldn't say it is a complete video going through all options, but should give a good idea what can be done and what settings exists. All environments are different, but a good base I hope
@@IntuneVitaDoctrina that’s perfect I’m trying to get the fundamentals so a good base is something I need for my intune learning :)
super useful, thanks a lot!!
@@yulaw3289 thank you so much for this nice comment, happy to hear
Really excellent 👌👌 videos
Thank you so much Ashwini for you comment, happy to hear
Nice video, Can you make a video on how to get the update status reporting and then non compliance device troubleshooting?
Thanks @Spitzer, good ideas, for Update Status reporting to check in the console is enough or you mean a email report or export the data to another tool? the none compliance device troubleshooting, or actually a bigger part could go through Device Compliance in one video and explain what it is and what is is used for and add in troubleshooting there.
at my fake company JBN I would example set compliance that all devices got the latest Updates, BitLocker encrypted and that the Firewall is enabled or alike
Good idea, hope to be able to make that
@@IntuneVitaDoctrinaThanks Looking forward for new videos.
Thanks for that precious video, so to a quick summary we don't need any server WufB to deploy updates like it was before with WSUS but only intune settings and adding AzureAD/Intune group ?
Correct David, WSUS is a great product still (but for Intune clients, no need), I thought it was more useful when you approved separate updates, now they are Cumulative so you more or less must deploy all updates, and then WufB is great, in the most simply form you target, set a deadline and off you go!
Clearly defined.Thank you 😇
Hi, what I dont understand is how do I set an update ring without the feature update? What if I wanted only the Quality Updates? or vice versa?
Hi, that is a good question, if you don't want feature updates (I guess sooner or later you would) you just don't setup any, and you get only Quality Updates for that version of Win10/Win11 you are running. Vice versa, only feature updates and no quality updates, I cannot see that scenario with current security vulnerabilities, you would always want to get out quality updates ASAP, you can set them up and go back 3 versions (now to July) and set deadline there, but nothing I recommend.
@@IntuneVitaDoctrina thanks a lot!
How do you connect the deployment to the ring? We are only adding groups to the deployment.
Hi Banreet, if I didn't answer your question please add more info.
We created Update rings, and we connect it at "Assignments" by adding AzureAD/Intune group.
So if you create Ring 0 for example and put your settings there, and then create an AzureAD group named maybe also something with Ring 0, then in the Ring 0 Assignment you add the group and connect them that way
Is there a way to block a specific Quality Update from installing? Instead of having to let it install and then initiate an uninstall?
That is a very good question, and sadly I don't have a good answer, maybe someone else reading here can help.
My take on it is that I'm okay to delay a Quality Update, but not block or remove on, since they are cumulative.
Most security certificates/policies requires latest OS updates and by uninstalling for a longer time violates that.
Hi, great video.
I have a question, how would you manage windows server OS updates via intune?
thanks, your question is a great one. I haven't done it myself. Windows Servers doesn't have Intune Agent so you cannot manage Servers with Intune. I could be wrong here, but recall seeing if you have Configuration Manager and Co-management you can see Servers through there and manage them through Intune, but the actual commands goes through SCCM/Configuration Manager.
Personally I would love to be able to manage servers by Intune and hope it is coming, but right now it is only for client OS.
Sorry not a good answer, also hearing about Azure Update Manager that seems to be something (will have to learn that one myself) learn.microsoft.com/en-us/azure/update-center/overview?tabs=azure-vms
Hi. Thanks for the prompt response. I really appreciate it.
Vedio was very useful and well explained.
Question i do have about defferal time.
What is the best way to decide the defferal time for these updates
Good question! My personal take on it, depends a bit on WHEN you want the users to be forced to restart. Such as Sales companies are often sensitive end of month, don't time the forced update restart when your business is as most busy.
I would recommend for validation to be done within 7 days and maybe the rest within 14 days from release, but not more.. 14 days could be too much, but depends on business.
It could be something to tweak and work in progress based on feedback, you don't want Zero-days vulnerabilities unpatched too long, but also not to fast so users cannot do their work since restarts can be distruptive
@@IntuneVitaDoctrina Thanks 😊
Microsoft product updates in intune contains what are the updates ?
Excellent questions, the name isn't so good, if you hover over the little "i" you see the description says:
"Control Whether to scan for updates from Microsoft Update"
So if you set it to "block" you get no updates at all, no Quality Updates and you can only get updates by manually download them and install them manually.
Can read more about this value here:
learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice
great work
Many many thanks, love comments like that :)
Hello, thanks for the video! How can I force to push out an important security update? So do I have any option to speed up some rollout?
Thanks you Takacsi,
If you worked with WSUS you could approve back in the days each update and set deadline, now all updates are more or less Cumulative so either you get all or you pause and get none, no a la carte menu :)
Not perfect solution but if a specific months update is more important you could change the Rings "Deadline for feature updates" and drop the days to a lower number and for newt month adjust it up again
So no good reply to your question, to speed up for one update you need to change for all (for that month only)
Thanks you very much!
awesome very informative thanks and keep it up
Thank you so much James
will the user has to check for updates of updates will automatically get pushed?
Hi, good question! it pushes automatically, no need for user to check manually :)
@@IntuneVitaDoctrina is Intune free with Office 365 E3 and Buisness Basic licenses?
Microsoft Intune (plan 1, which is what everyone has, all the other plans are special extras) is included in Microsoft 365 E3 (not Office) :)
Microsoft Intune Plan 1
A cloud-based unified endpoint management solution included with subscriptions to Microsoft 365 E3, E5, F1, and F3, Enterprise Mobility + Security E3 and E5, and Business Premium plans, including versions of these suites that do not include Microsoft Teams.
Perfect!
What is deferral period means
Hi, could you please point out when in the video (time) that was mentioned. We got two deadline "Deadline for feature updates" "Deadline for quality updates" which sort of works as a deferral as you can install it during that period until you become forced. Not sure that answers your question?
Hi thanks for an amazing video, I have deployed this to test ring one with a windows 10 22H2 device to upgrade to windows 11 22H2 But so far nothing has happened. I have synced and left the device on for sometime and still nothing.
fyi this is a Hybrid virtual machine(DJ and AAD) if that matters
Thanks, and good information. Since it is a Hybrid it means it is connected to an On-prem AD, do you got a GPO there setting Windows Update? could be conflicting policies.
Very common that hybrids are pointing to a WSUS server, if there is a GPO for Windows Update please exclude the Device there or disable the GPO all together.
Else it is possible that the device also remember the old server, if it has been in SCCM or alike also, you can easily delete it from registry.
I use a PowerShell script that deletes the legacy GPO (might need to restart the Widows Update service on the client also, here is the script (which also shows the registry path)
### Remediation script to remove legacy GPO settings for Windows Update
### Author: John Bryntze
### Date: 13th September 2023
Remove-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Recurse -Force -Confirm:$false
write-host "Removed!"
@@IntuneVitaDoctrina thank you so much for this.
However I have tried it on an Intune only w10 device that I want to upgrade to W11 but it picks up the update configs from Intune but will not display or automatically update to W11.
FYI this is a VM not a physical computer with
A tpm key and enough RAM FOR W11.
Did you test on a physical PC or vm?
yes it works on Physical and VM, both works.
I think it is conflicting settings, have you checked the registry key I mentioned above? delete that to remove the GPO that points to another server.
"Beeetaaaa".... 😂😂😂
Hey question. Do you have a video on how to troubleshoot Update errors in Intune? For some reason I got some quality updates that are failing. Thanks.
Hi, good question and topic, I don't have any, I would love to do a video, but then I must be able to reproduce it on my test machines in order to show the solution, else it be a video just talking and not showing.
Do you got an error code or alike? then I'll take a look what the error could be and try to reproduce it but not so easy, but maybe :)