Managing software updates for Windows 10 with Intune is straight forward, but there is a catch you can’t expect the granular controls you have with SCCM/ConfigMgr. We need to configure Windows Software update policy and deploy that policy to Windows 10 devices.
Windows 10 devices will take the software updates directly from Microsoft Update services. Unlike SCCM, no need to download the software updates, create a package and deploy it to the devices (as you can see in this video post here). Windows update for Business will give us more options to configure and control the behavior of Windows 10 updates and Servicing.
Intune Video tutorial to help to create Software updates rings for Windows 10 here
We have an out of box Software Update (Automatic Update) policy as part of Intune Silverlight portal configuration policy. I have noticed that this Out of box configuration policy stopped working since last few months. Now, there are two options to control the behavior of Windows 10 updates and Windows servicing.
The first choice is to use custom policies in Intune Silverlight portal if your Silverlight portal is not yet migrated to Azure portal. I have a post which talks about Intune Silverlight migration blockers here. The second choice is to control Windows Update for business via Software Updates button in Intune blade in Azure portal. We will cover this in this post.
Basic Test Rings for Windows 10 Software Update
We may need to create at least two Windows 10 Software Update Policy Rings for your organization as a very basic requirement. One Windows 10 Update ring is for Windows 10 machines which are in Current Branch (CB). Second Windows 10 update ring is for Windows 10 machines which are in Current Branch for Business (CBB). Windows 10 update rings would evolve as you progress with the testing and development for your organization. But this is the first stage of your testing of Software update deployments.
Windows 10 CBB Update Ring - All the devices in Current Branch Windows 10 CB Update Ring - All the device in Current Branch for Business
Pilot and Production Rings for Windows 10 CB and CBB Servicing
Another recommendation would be to create different Windows 10 Software Update Policy Rings for deferrals of Windows 10 servicing branches CB and CBB. We can put a maximum of 30 days delay in Windows 10 software update rings. These two update rings would help to the latest Windows 10 CB/CBB servicing updates (e.g. upgrade from 1607 to 1703) with some pilot devices rather than deploy servicing updates to all the devices at the same time. During the pilot testing of CB, if you find any problem with the upgrade and you don’t want to deploy the update to CBB ring then, you have the option to PAUSE the updates for production ring.
Pilot Windows 10 CBB Updates Ring - Pilot Servicing Ring for CBB Production Windows 10 CBB Updates Ring - Production Servicing Ring for CBB Pilot Windows 10 CB Updates Ring - Pilot Servicing Ring for CB Production Windows 10 CB Updates Ring - Production Servicing Ring for CB
Pilot and Production Rings for Windows 10 Monthly Security Patches
I would also recommend creating different Windows 10 Software Update Policy Rings for Windows 10 CBB and Windows 10 CB quality updates (monthly security and other patches). So, for Windows 10 CBB machines will have a minimum of 2 rings. One is for the pilot machines which are on Windows 10 CBB and the second ring is for the production machines which are on Windows 10 CBB. Same applies for Windows 10 CB devices, and the CB machines should also have two rings.
Pilot Windows 10 CB Quality Updates Ring - Monthly patch pilot ring Production Windows 10 CB Quality Updates Ring - Monthly patch production ring Pilot Windows 10 CBB Quality Updates Ring - Monthly patch pilot ring Production Windows 10 CBB Quality Updates Ring - Monthly patch production ring
How to create advanced Windows 10 Software Update Rings?
There could be other complex scenarios of Windows 10 Software Update Policy Rings. These rings could be depending purely on the requirement of each region or business group of your organization. Some of the other important options you have in Windows 10 Software Update Policy Rings are:-
- Windows 10 Automatic update behavior – How do you want to perform scan, download, and install updates. Scheduling options for windows update.
- You want to update Windows 10 drivers as part of your patch deployment rings or not.
- What kind of Delivery optimization (In build caching solution with Windows 10) that you want to use.
Deployment – Assignment of Windows 10 Software Update Rings
Windows 10 Software Update Policy Ring deployments/assignments are very critical decision to make. I would recommend using dynamic device groups wherever possible, but at the moment this is not possible for all the scenarios. I think, in some scenarios, we need to use static device/user groups. I hope, Microsoft will come up with exclusion group options for assignments (similar to AAD Conditional Access policies). The exclusion groups would be really useful in Software Update ring deployment scenarios. For example, you want to exclude pilot devices from the production software update ring deployments. At this point, it’s not possible without exclusion options.