Software Update Policy Rings in Intune MEM

Let’s see how to configure Software Update Policy Rings in Intune MEM. How to Setup Windows 10 Software Update Policy Rings in Intune Endpoint Manager Portal?

Managing software updates for Windows 10 with Intune is straightforward, but there is a catch you can’t expect the granular controls you have with SCCM/ConfigMgr. We need to configure the Windows Software update policy and deploy that policy to Windows 10 devices.

I have an updated post on Intune monthly patching guide and troubleshooting, etc. Cloud PC Monthly Patching Process Using Intune. Another guide on Intune patching – Software Update Patching Options With Intune Setup Guide (anoopcnair.com)

Related PostDifference Between Windows Patch Management Using Intune Vs ConfigMgr | SCCM | Software Updates

Windows 10 devices will take the software updates directly from Microsoft Update services. Unlike SCCM, no need to download the software updates, create a package, and deploy it to the devices (as you can see in this video post here).

Windows Update for Business will give us more options to configure and control the behavior of Windows 10 updates and Servicing. Update:- FIX CBB Ring Devices are Getting Windows 10 CB (SAC-T) Updates Intune Windows 10 Update Rings.

Intune Video tutorial to help to create Software updates rings for Windows 10

We have an out of box Software Update (Automatic Update) policy as part of Intune Silverlight portal configuration policy. I have noticed that this Out of box configuration policy stopped working in the last few months. Now, there are two options to control the behavior of Windows 10 updates and Windows servicing.

The first choice is to use custom policies in Intune Silverlight portal if your Silverlight portal is not yet migrated to the MEM portal. I have a post that talks about Intune Silverlight migration blockers here.

The second choice is to control Windows Update for business via the Software Updates button in Intune blade in the MEM portal. We will cover this in this post.

Software Update Policy Rings in Intune MEM
Software Update Policy Rings in Intune MEM

Basic Test Rings for Windows 10 Software Update

We may need to create at least two Windows 10 Software Update Policy Rings for your organization as a very basic requirement. One Windows 10 Update ring is for Windows 10 machines that are in the Current Branch (CB).

The second Windows 10 update ring is for Windows 10 machines that are in the Current Branch for Business (CBB). Windows 10 update rings would evolve as you progress with the testing and development for your organization. But this is the first stage of your testing of Software update deployments.

Windows 10 CBB Update Ring - All the devices in Current Branch
Windows 10 CB Update Ring - All the device in Current Branch for Business

Pilot and Production Rings for Windows 10 or Windows 11 Servicing

Another recommendation would be to create different Windows 10 Software Update Policy Rings for deferrals of Windows 10 servicing branches CB and CBB. We can put a maximum of 30 days delay in Windows 10 software update rings. These two update rings would help with the latest Windows 10 CB/CBB servicing updates (e.g. upgrade from 1607 to 1703) with some pilot devices rather than deploy servicing updates to all the devices at the same time.

During the pilot testing of CB, if you find any problem with the upgrade and you don’t want to deploy the update to the CBB ring then, you have the option to PAUSE the updates for the production ring.

Pilot Windows 10 CBB Updates Ring - Pilot Servicing Ring for CBB 
Production Windows 10 CBB Updates Ring - Production Servicing Ring for CBB  
Pilot Windows 10 CB Updates Ring - Pilot Servicing Ring for CB
Production Windows 10 CB Updates Ring - Production Servicing Ring for CB

Pilot and Production Rings for Windows 10 or Windows 11 Monthly Security  Patches

I would also recommend creating different Windows 10 Software Update Policy Rings for Windows 10 CBB  and Windows 10 CB quality updates (monthly security and other patches). So, Windows 10 CBB machines will have a minimum of 2 rings.

One is for the pilot machines which are on Windows 10 CBB and the second ring is for the production machines which are on Windows 10 CBB. The same applies to Windows 10 CB devices, and the CB machines should also have two rings.

Pilot Windows 10 CB Quality Updates Ring - Monthly patch pilot ring
Production Windows 10 CB Quality Updates Ring - Monthly patch production ring
Pilot Windows 10 CBB Quality Updates Ring - Monthly patch pilot ring
Production Windows 10 CBB Quality Updates Ring - Monthly patch production ring
Software Update Policy Rings in Intune MEM 2
Software Update Policy Rings in Intune MEM 5

How to create advanced Windows 10 Software Update Rings?

There could be other complex scenarios of Windows 10 Software Update Policy Rings. These rings could be depending purely on the requirement of each region or business group of your organization. Some of the other important options you have in Windows 10 Software Update Policy Rings are:-

  • Windows 10 Automatic update behavior – How do you want to perform scan, download, and install updates. Scheduling options for windows updates.
  • Do you want to update Windows 10 drivers as part of your patch deployment rings or not.
  • What kind of Delivery optimization (In build caching solution with Windows 10) that you want to use.
Software Update Policy Rings in Intune MEM
Software Update Policy Rings in Intune MEM

Deployment – Assignment of Windows 10 Software Update Rings

Windows 10 Software Update Policy Ring deployments/assignments are very critical decisions to make. I would recommend using dynamic device groups wherever possible, but at the moment this is not possible for all the scenarios. I think, in some scenarios, we need to use static device/user groups. I hope, Microsoft will come up with exclusion group options for assignments (similar to AAD Conditional Access policies).

The exclusion groups would be really useful in Software Update ring deployment scenarios. For example, you want to exclude pilot devices from the production software update ring deployments. At this point, it’s not possible without exclusion options.

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…