Windows Update for Business is one of the new things Microsoft proposed along with Windows 10. It has come a long way since it’s release. Even if it isn’t perfect yet, or give all the flexibility that ConfigMgr (MEMCM) offer when managing monthly update or feature release, for many small/medium business, this brings a more simple approach to patching and maintaining Windows 10 up to date. In this post, we will detail how to configure Intune Windows Update for Business to patch Windows 10 devices managed by Intune
- Windows 10 must be managed by Intune
- If Windows 10 is being co-managed with ConfigMgr(MEMCM), make sure the slider for Software Update is set to Intune
Intune Windows Update Business – Update rings strategy
Depending on multiple factors, the key for Windows Update for Business to be successful is to define the various update rings for your enterprise.
Here, no magic answer or one size fit all scenarios.
To take in consideration to build your strategy :
- Number of users total/per rings
- Risk tolerance for the Feature update release
- Windows 10 Pro vs Enterprise
- Pro only allows 18months support following the release date of a build. Feature update strategy is likely to be more aggressive than if Windows 10 Enterprise is used with its 30months policy for autumn releases.
What we usually recommend :
- Minimum of 3 Update rings
- Test, with a few IT people only
- Pilot, with more IT people and users for many department/roles
- Production, with everyone else.
- Depending on the total amount of user and support capacity, consider multiple Prod rings to avoid too many users at once installing Feature Update
- The monthly quality update can follow the same 3 major Update rings
- Test, within the first few days of release
- Pilot, within a week or so of the release
- Prod, within 2-3 weeks after release
- Remember, it’s not possible to deny a monthly update. So better be careful and avoid faulty updates for most of the users
- Servicing channel for most if not all should be Semi-Annual channel
- Carefully review User experience settings in the update ring. Find the best fit for your users along with security needs.
Here’s an example of an aggressive update rings configuration.
Create Windows 10 Update rings
- Open the Microsoft Endpoint Manager admin center
- Under Devices, select Windows 10 Update rings
- Click on Create profile
- Provide a name
- Configure the Update Ring settings
Lots of stuff in this screen.
Key points are Deferrals for both monthly and Feature updates.
Other settings are mostly about User Experience, so this needs to be reviewed case by case.
- Set scopes tags if needed
- Set the Assignments. Interesting point here is that you can target groups of users, which in the long run is a much easier way to target test and pilot users without care about the device anymore.
Monitor Windows Update for Business
This is still done with the Update Compliance from Windows Analytics. Note that this is the only component that hasn’t retired yet.
- Follow our post to configure Update Compliance
- Once configured, reporting will take a bit of time. After a few days, it will look like this
- It is possible to see the progress of both Monthly updates and Features updates.
For more details about Update Compliance, see Microsoft docs
When using Windows Update for Business, Delivery Optimization should be reviewed for better network effecianty.
Follow our post to enable Delivery Optimization for Windows 10 update/upgrades and Office 365 updates
There is also a new option Windows 10 feature Update that is currently in preview. This allow administrators to select the Feature update to target instead of leaving it only by default.
For more details about Windows Update for Business, see Microsoft docs