Windows Updates are essential. You receive new features, and even more important, security and driver updates. How does Microsoft Intune handle this? How to configure it, and everything you should know about licensing options and some security basics, in the last part of “Get started with Intune 2024”, my foundation for every future post on my blog.
Windows Update Rings
Prerequisites
Licensing
- Microsoft 365 E5
- Microsoft 365 E3
- Enterprise Mobility + Security E5
- Enterprise Mobility + Security E3
- Microsoft 365 Business Premium
- Microsoft 365 F1
- Microsoft 365 F3
- Microsoft 365 Government G5
- Microsoft 365 Government G3
- Microsoft Intune for Education
Overview
With Windows Update Rings you configure the update behavior for your Windows Devices in Microsoft Intune. Microsoft tries to make it as easy as possible with preconfigured templates. The template for Windows Update Rings includes the following sections:
Setup
Update-Settings
Here you define if Microsoft product and driver updates should be included in your update ring.
Recommendation
Please set “allow” otherwise your update-ring is pretty useless. Driver Updates can be scheduled in driver update section.
With this settings you configure how long your Intune devices wait until they install the released updates. You can set it for quality (security) and for feature updates.
Recommendation
Set the deferral period of quality (security) updates lower than feature updates. I like the devices being as up to date as possible, because of that I recommend to set 2 days for quality and 7 days for feature updates.
Please consider multiple update rings, for example 1 for production with these settings and 1 for IT-Testing with 0 day deferral for quality and feature updates.
Max value for deferral period is 365 (days).
With this check box you could allow the assigned devices to update to newest Windows 11 Build.
Recommendation
I wouldn’t check this box. Please configure a separate feature update policy, more on that here.
Here you set the maximum period in which a feature update can be uninstalled on a device.
If you want to deploy prerelease builds, you can enable it here. After enabling it you can choose between different channels.
Tip
Could be interesting for testing purposes in IT-department.
User Experience
Here you define how the updates get installed. You can choose between the following Settings:
- Notify to download
- Auto install at maintenance time
- Auto install and reboot at maintenance time
- Auto install and reboot at scheduled time
- Auto install and reboot without end user control
Tip
If you use maintenance time option, consider switching it, so that Windows is actually able to install the updates.
For example:
Set it to 06:00 AM to 03:00 PM
If you would set it according to the “real working hours” like 08:00 AM to 06:00 PM, your devices would always wait until the deadline is reached, assuming the user powers off the machine before 6 pm daily.
If you want to give the users the ability to pause or check for updates, you can activate it here.
Recommendation
I would disable the option to pause updates, but I personally enable the option to check for updates. If the user wants that, fine for me, the device is always up to date.
The last section is all about deadlines. Perfect for every IT-department! With deadlines it’s possible to force a device to install updates after a configured time in days. On top of that you can configure a grace period and auto reboot after reaching the deadline.
Recommendation
I would activate this option to ensure devices are up to date. How many days you actually set, depends on the requirements of your company.
Update Policies in Microsoft Intune
Feature or Quality Updates
Go to “Update rings for Windows 10 and later” section in Intune and “Feature updates” or “Quality updates” after that you click on “Create Profile”.
Now you can configure and assign your custom dedicated feature update policy: in this case a feature update policy to update devices to Windows 11 23H2.
Tip
Under “Rollout options” you could configure the release schedule of the feature update.
Windows Driver Updates
Prerequisites
Licensing
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
Setup
Automatic Update
Go to “Update rings for Windows 10 and later” section in Intune and “Driver updates” after that you click on “Create Profile”.
Now you can configure and assign your driver update policy. In this case we configure it to auto update drivers after 7 days of deferral period.
Recommendation
Set the same deferral period as you set in your primary update ring. In my case 7 days.
Manual Update
Go to “Update rings for Windows 10 and later” section in Intune and “Driver updates” after that you click on “Create Profile”.
Now you can configure and assign your driver update policy. In this case we configure it to manually update our drivers.
After configuring it, we see that Intune driver update is collecting all the eligible drivers for your Microsoft Intune devices. It will take some time.
After collecting all the eligible drivers you can click on “X to review” to review the available drivers. Drivers are ordered by “recommended” and “Other drivers”.
Security
Security for your Intune Devices is essential. Even without Microsoft Defender for Endpoint Licenses there are some useful and necessary settings for your devices. If you already have Microsoft Defender Licenses, stay tuned for my future posts!
Security Baselines
For Microsoft Intune, Microsoft provides you with a preconfigured set of policies, the collection is called “Security Baselines”. They are available for the following products:
- Microsoft Windows 10 and later
- Microsoft Defender for Endpoint
- Microsoft Edge
- Microsoft Windows 365
- Microsoft 365
Security Baselines are a good starting point for future policies and configuration. All settings in these templates are also available to configure as separate policies outside of these selections.
You’ll find the Security Baselines here in Intune Admin Center.
Relevant for your devices (in case you don’t use Microsoft Defender for Endpoint):
- Security Baseline for Microsoft Windows 10 and later
- Security Baseline for Microsoft Edge
- Microsoft 365 Apps for Enterprise Security Baseline
Info
Microsoft updated “Security Baseline for Microsoft Windows” to Windows 11 23H2 today
(28. March 2024)
These Baselines include settings for:
- Firewall
- Bitlocker
- Connectivity
- Direct memory access
- Device Guard
- Some Settings from MS Security Guide
- Smart Screen
- Local Security
- Remote Management
- Single Sign-On (SSO)
- Browser Addon Management
More details about the security of your devices with Microsoft Defender for Endpoints in future posts.
That’s it!
Now you have your enrollment strategy, you know how to configure Windows Autopilot, you can create your own configuration profiles and compliance policies, you know everything about app-packaging and with this post you learned more about how to update and secure your devices.
Now you are ready to go live with your Microsoft Intune environment. After configuring your policies you could rollout your first device(s), lean back and enjoy the magic of Intune…
…Or wait, maybe you want to configure Microsoft Defender for Endpoint and integrate it in Microsoft Intune? If so, stay tuned for my future posts!