In this blog post, part 15 of the Keep it Simple with Intune series, I will show you how you can switch on management of Windows 10 updates on your devices.
Feature updates has a separate, in preview, feature within the Endpoint Manager console. So bear that in mind when configuring up the update ring. There’s lots of choice in your configuration when setting them up so let’s take a look at that process.
In the MEM Admin Center
In the MEM admin center, select Devices\Windows 10 update rings. Click the Create profile link.
We’re now at the Create Windows 10 update ring wizard. Enter a Name for the profile and an optional Description. Click Next.
There’s a bunch of update settings we can apply and it’s a case of ‘best fit’ for your business. Here’s a run through of some of them.
For the Servicing Channel you have the choice of:
- Semi-Annual Channel
- Semi-Annual Channel (targeted)
- Windows Insider – Fast
- Windows Insider – Slow
- Release Windows Insider
For the Quality update deferral period (days) you have the choice of 0 – 30 days, this is in addition to any deferral period that is part of the service channel you select.
For the Feature update deferral period (days) you can specify the deferral period in addition to any deferral period that is part of the service channel you select.
Note the supported deferral period:
Windows version 1709 and later – 0 to 365 days
Windows version 1703 – 0 to 180 days
If you are using the Windows 10 feature updates (Preview) feature then this setting MUST be set to 0.
We can choose the Automatic update behavior, with an active start and end time, and enforce Restart checks. For Restart checks, Microsoft states:
‘Windows version 1703 and earlier – When you restart a device, there are some checks that occur, including checking for active users, battery levels, running games, and more.
Windows version 1709 and later – During Active Hours, the following processes don’t run for updates: scan, download, install, and reboot. After Active Hours, the update processes do run and can wake the device from sleep, scan, download, install, and reboot the device as long as the battery checks and power checks pass.’
You can block users from pausing or scanning for updates and more.
You can choose the notification behaviour, with timings for dismissable and non-dismissable auto-restart warnings.
..and any deadline settings. When you are happy with your configuration, click Next.
Now we need to target a group for deployment. Click the +Select groups to include link and add accordingly. I have added my Intune Test Devices. Click Next.
At the Review + create screen, confirm you are happy with your configuration and then click Create.
In the Overview section of the update ring, you have the option to Delete, Pause, Resume, Extend or Uninstall.
- Delete – stops enforcing the settings of the update ring.
- Pause – stops assign an update (quality or feature) for up to 35 days from when it is paused
- Resume – resumes after the update ring is paused
- Extend – allows extension of a paused ring by resetting the paused period
- Uninstall – used to rollback the latest quality or feature update.
On the endpoints
Once policy is refreshed, you can see that the devices will report that *Some settings are managed by your organization in the Settings app under Update & Security\Windows Update.
If you click the View configured update policies link you’ll see all the policies which you have configured are assigned to the device.
I hope that gets you up and running quickly with applying Windows quality updates to your devices..
Be sure to take a look at the other blog posts in the series:
- #1 Enable password reset for users
- #2 Push out your customised Start Menu
- #3 Disk Encryption
- #4 Deploying a Win32 app
- #5 Intune session from Charlotte Systems Management User Group
- #6 Configure OneDrive and KFR
- #7 Deploying the Edge Browser
- #8 Introduction to Device Restrictions
- #9 Manually enrolling a Windows 10 device into Intune
- #10 Applying App Protection
- #11 Deploying a PowerShell script
- #12 Deploying Microsoft Edge Stable via the MEM Admin Center
- #13 Uninstalling Microsoft Edge Beta
- #14 Enabling Credential Guard on your endpoints