How to use Windows Update for Business with Intune
When organizations deploy Windows OS updates, they can use Windows Update for Business alongside Intune to closely manage all aspects of those updates.
The importance of up-to-date Windows devices is evident to all IT administrators, so Windows Update for Business' settings that control the update behavior on Windows devices is critical for security and user experience.
With its cloud-native endpoint management, Windows Update for Business can manage endpoints that are basically always online, which makes it important that those devices are up to date with the latest security updates and Windows features.
Microsoft Intune is the go-to platform for managing the settings related to the security updates and Windows features, and IT admins should make the most of these two technologies together.
Managing Windows Update for Business with Intune
Intune provides IT administrators with the ability to easily configure update settings on Windows devices using Windows Update for Business, including the deferral of update installations. Besides that, Intune also allows IT to keep Windows devices on a specific stable Windows version by preventing devices from installing feature updates.
It's important to keep in mind that Intune doesn't store the updates themselves -- that information will always come from Windows Update. Intune creates the policy set with the configuration that contains the desired settings to check in with Windows Update to make sure that the required updates will be installed with the required deferral and deadline configurations.
Besides that, Intune also passes specific configuration details to Windows Update. That information is used to determine which of the updates will be offered to the different devices. The Windows Update for Business deployment service requires a separate registration of Windows devices, and that registration requires Windows devices to be Entra joined. Any configuration option that relies on the Windows Update for Business deployment service, requires the Windows device to be Entra joined.
Figure 1. Microsoft Intune architecture and the Intune product family.
For any configuration that relies on the Windows Update for Business deployment service, Intune will automatically make sure that the targeted Windows device will register with the Windows Update for Business deployment service. The policy types in Intune that rely on the Windows Update for Business deployment service provide the IT administrator with more granular control over the deployment of the different updates.
IT administrators should also keep in mind that in September 2024, the Windows Update for Business deployment service was unified under Windows Autopatch.
What Intune policy types can affect Windows updates?
When using Microsoft Intune to manage Windows Update for Business settings, there are different policy types that IT can use to configure Windows devices. And all these policy types have their own purpose. The following policy types are available and can be assigned to groups of devices:
Update ring. This policy type is basically a collection of Windows Update for Business settings that IT can use to configure when Windows devices have their security updates and Windows features installed. This provides the IT administrator with basic update management capabilities on Windows devices to control security updates and Windows features. That includes settings to control the update deferral, the update deadline, the update products, the user experience and more. This policy type is supported by all devices running Windows 10 version 1607 or later, and Windows 11.
Feature update deployment. IT can use this policy type to update Windows devices to a specific Windows version that is specified by the IT administrator. Besides that, after the installation of the specific Windows version, this policy type will also make sure that the targeted Windows devices will freeze their Windows version. That freeze remains in place until the IT administrator specifically chooses to update those Windows devices to a later Windows version. In the meantime, those devices will continue to install quality and security updates that are available for their current Windows version. This policy type relies on the Windows Update for Business deployment service for controlling the feature deployment.
Expedite policy. Intune administrators can use this policy type to expedite the installation of the latest Windows security update on Windows devices. This can help IT quickly install a specific security update that fixes a certain security issue within the environment. This policy type relies on the Windows Update for Business deployment service for controlling the feature deployment.
Windows quality update policy. With this policy type, IT can configure specific quality update policy settings. This policy type is still in preview and can only be used to configure the hotpatch on Windows device. Windows devices will install the latest quality update without restarting the device if this policy is in place.
Driver update profile. This policy type can determine the approval and deployment settings for Windows driver updates. The main configuration that can be achieved is choosing between automatic installation of the latest recommended drivers and manually approving drivers before they can be installed on the targeted Windows devices. This policy type relies on the Windows Update for Business deployment service for controlling the feature deployment.
How can Intune Update rings manage monthly Windows updates?
Of the policy types above, the most common Intune policy for Windows Update management is the Update ring.
Of the policy types above, the most common Intune policy for Windows Update management is the Update ring. It determines when the device has to check in with the Windows Update services and when it will install different types of updates. For more granular control over the updates that Windows systems will install, IT administrators can use the other policy types that also rely on the Windows Updates for Business deployment service. To make sure that security updates and Windows features are gradually introduced within the organization, an IT administrator can use multiple Update rings. Each ring can have its own deferral and deadline configuration. Those settings determine when the updates will be installed and when the devices will restart to finish the installation of those updates.
The following steps walk through the creation of an Update ring in Microsoft Intune and focus on the different configuration options within that Update ring.
Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Windows updates.
On the Windows | Windows updates page, navigate to the Update rings tab and click Create profile.
On the Basics page, provide at least a unique name to distinguish the Update ring from other Update rings and click Next.
On the Update ring settings page, go through the following configuration options and click Next.
Update settings. This section, as shown below in Figure 2, can be used to configure the update settings for this Update ring. That includes the settings to configure the products that should be updated, the update deferral for quality and feature updates and the prerelease channel, when applicable.
Figure 2. The Intune Update ring settings tab shows the 0-day period for update deferral.
User experience settings. This section, as shown below in Figure 3, can configure the user experience settings for this Update ring. That includes the automatic update behavior, options to allow users to pause and check for updates, and the deadline behavior for updates.
Figure 3. The option to create a new Update ring for Windows Oses using Intune.
On the Assignments page, configure the devices that should be assigned with this Update ring and click Next.
On the Review + create page, review the configuration of the Update ring and click Create.
This will eventually create a single Update ring. To introduce updates within the environment, IT administrators can configure multiple Update rings, by using different deferral and deadline configurations for quality and feature updates.
Peter van der Woude works as a mobility consultant and knows the ins and outs of the ConfigMgr and Microsoft Intune tools. He is a Microsoft MVP and a Windows expert.
