A major concern during modernization is “What do I do with patching now once I move to Microsoft Intune?” Most people think that answer is: “We just push those Windows Update profiles in Intune right?” Today, we’re going to cover Windows patching on Microsoft Intune. We’ll discuss:
- What is Windows Update for Business (WUfB)?
- Windows Autopatch Elevates Patching to the Next Level
- The Right Reporting Strategy for Windows Patching
- Closing Thoughts
What is Windows Update for Business?
Today, you’re probably getting your patches via SCCM/WSUS. The tech in on-prem is great and works really well. The challenge is it requires line-of-sight to your domain, and we all know how that goes. Part of modernizing and moving to Intune is shifting right. Enter your new best friend: Windows Update for Business. So, what is it?
WUfB is simply shifting patching from your on-prem servers to public Windows Update servers. The service is free and available on Win10/11 Pro, Education, and Enterprise versions.
You can deploy WUfB through either GPO or Windows CSPs (e.g. Intune or 3rd party MDMs). These settings control how and when devices are updated. First, we’ll talk strategy of Windows Updates.
The Windows Update service family includes 3 pillars:
Windows Update for Business Update Rings
We typically have a strategy, which we call rings. Basically, you create multiple rings around your org strategy. You setup rings like this below, which phase in new quality updates, feature updates, etc. The goal is to make sure your key personnel aren’t impacted:
Your update ring has several settings you can leverage:
| Settings Name | Notes |
| Update Microsoft Products | Scans for App Updates from Microsoft |
| Update Windows Drivers | |
| Quality Update Deferral Period | Defer up to 30 days from release |
| Feature Update Deferral Period | Defer up to 365 days from release |
| Upgrade Windows 10 the latest Windows 11 Update | |
| Feature Update Uninstall Period | Uninstall up to 60 days |
| Enable Pre-release Builds | Supports Insider, Beta, and Dev |
| Automatic Update Behavior | auto install and reboot immediately, during scheduled or maintenance times auto install during maintenance times, notify of download. |
| Active Hours | Set the hours when you want to install updates |
| Let Users Check and Pause Updates | |
| Update Notifications | Disable except restart warnings, full disable, or default |
| Deadline Settings | Set deadline up to 30 days, up to 7-day grace period, and auto reboot. |
One last aspect of WUfB that I wanted to mention is their deployment service, which elevates Windows Updates even further.
Windows Update Deployment Service
The Windows Update Deployment Service delivers approval, scheduling, and safeguarding of updates for managed devices. The deployment service APIs that approve and schedule specific updates for deployment. They are powered by the Graph APIs and SDKs.
We do have a few requirements to leverage it:
- Entra or Hybrid-Joined
- License requirements:
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
- Windows 10/11 Pro, Education, Enterprise, Pro Education, or Pro for Workstations editions
You can read about other specific requirements around tenant types and network here.
The differentiator with the deployment service is the centralized control point for the update behavior instead of device-side policies. The deployment service is implemented at the level of the Windows Update service. The idea is simple:
- APIs, tools, or MDMs like Intune gather the information to be sent like devices and content for deployment.
- The tool e.g. Intune tells the deployment service what is being requested.
- The deployment service processes the request and does a delta check against previous requests. The Windows Update servers are told what to do on the next device scan.
Now, we can quickly discuss what you can do in a few of these scenarios like feature updates, quality updates, and drivers:
Feature Update
This lets you deploy a specific feature update to your users. You can leverage 3 different rollout strategies:
- Deliver it ASAP
- Deliver on a specific date
- Gradual rollout (set the start date, end date, and the days between your rings and it will gradually roll it out)
Expedite Quality Updates
You select a quality update and how many days before the reboot is enforced.
Driver Updates
You can manually choose drivers to update or automatically update drivers with the ability to defer them out.
Windows Autopatch Elevates Patching to the Next Level
So, Windows Update for Business sounds really cool right? The problem is it can be tough to manage. Most people don’t realize Windows Autopatch is available on Microsoft Intune.
Windows Autopatch eliminates the worry about managing rings or managing your overall patch strategy. Windows Autopatch does a nice job of shifting the burden from your IT team to Microsoft. Windows Autopatch builds on top of WUfB and couples it with other service components to deliver an automated patching solution.
The requirements for using Autopatch are:
- Windows 10/11 Enterprise E3+
- Entra ID P1 or P2
- Entra Join or Hybrid Join
- Intune-managed Devices
- Co-management requirements
- Intune cloud-attached
- Windows Update, Device Config, and Office C2R workloads are Intune-managed
Let’s check out a short demo on how to enroll with Windows Autopatch before we learn more.
Now that it has been setup, we will cover the basics of Windows Autopatch. A future article will cover advanced configuration of Autopatch.
One thing that I do want to cover today are release management settings. One current issue that I am working on with product management is “Expedited Quality Updates” which will address critical patches e.g. a zero-day patch hits and it expedites the delivery of that patch. Currently, the expedite quality patches capability creates profile conflicts, which could put your devices into an unhealthy state. My recommendation at this time is to disable it. You work with this and other features inside of “Release Settings”:
Windows Autopatch Update Management
Windows Autopatch manages a few key areas:
| How the Magic Happens | Target SLA |
| Windows Autopatch deploys CSPs to each update deployment ring to control the rollout. Deferrals, deadlines, and grace periods are used to cultivate the experience. | The goal is to hit 95% updated devices within 21 days. |
| Feature update profiles are created that correlate to Windows Autopatch groups to rollout new feature updates gradually. The profile contains the minimally supported OS at the minute which is 21H2. You can create custom profiles to enforce newer OS versions, which will automatically deactivate the existing ones. | The goal is to keep 99% of devices on a supported OS. |
| Covers the primary suite, Visio, and Project. No policy conflicts can exist. This doesn’t rely on rings as its powered by the Microsoft CDN. The service relies on devices, and they will receive notifications like regular Office updates. Devices must have checked in within the last 5 days and apps must close for the update process to complete. | The goal is to keep 90% of devices on a supported version of the monthly enterprise channel. Supportability is a 2-month window. |
| Must ensure no policy conflicts exist and it requires an Edge restart to apply updates. Updates are checked for every 10 hours. Quality Updates will occur weekly. Feature updates happen every 4 weeks and rollout progressively. | All users see updates within a few days of its release. |
| Device must be signed into the device and Teams. Updates are checked for every few hours. After the download, the device must reach an idle state for 40 minutes to perform the automatic update. | Updates happen once a month or twice a month for members of TAP. |
Windows Autopatch Device Registration
As part of my earlier demo, I covered adding/setting up the default registration group to ensure the right devices are auto enrolled to Windows Autopatch. Windows Autopatch by default uses a group called Windows Autopatch Device Registration, which you can add nested groups to. The code for the dynamic membership rule I use can be seen below:
(device.deviceOSType -eq "Windows") and (device.deviceManagementAppId -contains "0000") and (device.deviceModel -notContains "Cloud PC")
As you can see, my group captures Intune Windows devices besides Cloud PCs (I put Cloud PCs in a different group to keep them separate):
The goal with this design is to ensure that we don’t have to manually add users constantly to these autopatch groups, which will literally drive you crazy unless you build it in an intentional way. The goal of Windows Autopatch is to deliver patches in an automated fashion. This helps you achieve exactly that.
Windows Autopatch Groups
One of the ways that Windows Autopatch builds on top of WUfB is with the Autopatch Group Service (which is actually a function app) as seen in this diagram below. That is part of the device registration micro service that runs inside of Windows Autopatch.
Conceptually, it works like this:
- An Autopatch group is created.
- The Windows Autopatch service uses the Graph API to create subsequent Entra groups and Software update policy assignments based on what you select/setup when your group is created or edited.
- Intune assigns software update policies to that group after creation.
- WUfB handles delivering update policies and retrieving deployment status from enrolled devices. The device status is sent to Intune and the Windows Autopatch service.
What is actually created becomes interesting. First, we start with the Entra groups that were created:
Next, we have configuration profiles: (Modern Workplace groups are used for assignments)
- Data Collection (Enables settings around log connection, telemetry, analytics configuration)
- Edge Update Channel Profiles (point at the target channel)
- MDM wins over GPO profile
- Office Configuration profile (sets automatic updates, sets the channel, and points devices at the CDN)
- 4 Update Rings (Broad, Fast, First, Test)
We also will have the update rings, which are (Test, Ring1-3, and Last). Those will use the Windows Autopatch groups for assignment:
Feature updates follow a similar idea also using Windows Autopatch groups:
Note: Quality update policies will get created as new quality updates are released.
Driver Updates are similar, but they leverage the Modern Workplace groups:
For specific details on the policies check out Microsoft’s article as this one is already far too long.
Implementing Best-in-Class Reporting for Windows Update for Business
One of the big concerns of SCCM admins is substandard reporting on patches. When you implement Autopatch, you get this out of the box in your reports section:
When drilling down, you get a bit more information, but overall, it doesn’t meet many organizational requirements:
Now, we have the ability to use the Windows Update for Business workbook, which closes the gap between Intune and SCCM.
These reports provide compliance data that lets you analyze and display information about your Entra-joined devices in multiple ways. This cloud-based solution accesses data from multiple report tables and correlates it into an easy view to work with for administrators. The solution leverages Log Analytics in Azure Monitor to store the diag data from devices. One of the challenges with this is many Intune admins may struggle to get access, but an Azure admin can set it up and share it out to your Intune admins.
One other note is that because it uses Log Analytics, you can extend it to Power Bi, query the data directly via KQL, or build your own custom views into the data. You can see here an example of some of the data from the UCClientUpdateStatus table:
That platform provides deeper insights into your suite. It starts with a nice overview dashboard:
You also get tabs for quality updates, feature updates, driver updates, and delivery optimization like this one below:
Final Thoughts
Windows Autopatch is the culmination of something I have been asking for from multiple vendors for a long-time. A next generation patching solution that can intelligently keep devices up-to-date and healthy. Outside of the issues I’ve seen with expedited quality updates, I have had great experience with Windows Autopatch so far, but it’s still early. Patching starts with understanding how the technology works so you can leverage it to secure your organization.
This article will be a living document, which I expect to update as we learn more on Windows Autopatch. I truly believe it’s the future of patching, which I hope is opened to 3rd party MDMs so we can enhance our cybersecurity posture as a world overall.
Nasza partnerska strona kasynopolska10 oferuje informacje o wypłacalne kasyna internetowe w pl, pomagając graczom znaleźć najlepsze opcje dostępne na rynku.
2 thoughts on “Deep Dive into Windows Patching with Microsoft Intune”
What about expedited quality updates? You wrote you had to disable it. How can you otherwise expedite a quality update of your own choosing (out of band or regular patch Tuesday)? Or are you stuck waiting
So, you can either enable expedited patching in Autopatch and hope that the issues I ran into a few months ago are gone, or you can leverage remediations to detect and remediate (which also comes with W11 Enterprise licenses)