Previously, we wrote about using Azure Update Management to perform Software Updates on Windows Server-based systems but what about Windows 10. In this article, we will explore Managing Windows 10 Updates using Microsoft Intune.
In on-premises environments, we use solutions like Windows Server Updates Services (WSUS), System Center Configuration Manager (SCCM), or Microsoft Endpoint Manager. Yes, you can continue to use SCCM and Endpoint Manager with their Cloud Attach Co-Management features, however, what about if you have a cloud-native environment? What about if you have an environment where users are using non-domain joined devices?
If we want to manage Windows 10 Updates, one of the easiest ways to do so is using Microsoft Intune. Microsoft Intune has built-in options for managing Windows 10 Updates so let’s take a look at what’s available.
Microsoft Intune licensing
Although the topic of this article isn’t to cover Microsoft Intune licensing, it would be remiss of us not to mention it briefly.
To use the features and settings described in this article you will need to be licensed for Microsoft Intune. Licensing for this can either be standalone, as part of the Enterprise Mobility and Security bundle or as part of either Microsoft 365 E3 or the Microsoft 365 E5 suites.
We often address questions about licensing and Microsoft Intune with our Enterprise Mobility and Security and Identity solutions.
Windows 10 Update Rings settings
The settings for Windows 10 Updates in Microsoft Itune can be found under the Software Updates and the Windows 10 Update Rings settings page. Alternatively, you can head directly to the page using the address https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/SoftwareUpdatesMenu/windows10UpdateRings.
Once you’ve found the page, the first step is going to be to create a Profile. A Profile allows you to define various settings including the Windows 10 Servicing Ring that the client belongs to, what types of updates will be offered, whether users have the option to defer updates if they need time to complete a piece of work, and importantly, what the deadline for meeting the requirements of the Profile.
Once you’ve got all the settings added you can save your Policy and assign it. You can either assign the policy to a group containing Windows 10 devices or you could apply it to a group containing users that use Windows 10 devices. As we have access to Azure AD Premium, we like to use Dynamic Groups in Azure AD containing all our corporate Windows 10 devices.
Endpoint Manager Co-Management and Tenant Attach
If you are already using Microsoft Endpoint Manager (formerly Configuration Manager) then you could look at implementing the Co-Management feature or the upcoming preview feature Tenant Attach ( https://techcommunity.microsoft.com/t5/configuration-manager-blog/take-action-on-your-configmgr-devices-from-the-microsoft/ba-p/1209759).
Co-Management opens up a host of opportunities such as the ability to transition the Software Update component of client management from Endpoint Manager to Intune making it cloud-friendly and using the upcoming Tenant Attach feature you can enact Endpoint Manager tasks via Intune simplifying administration.
Making the most of Microsoft Intune
If you are interested in managing Windows 10 Updates using Microsoft Intune or if you are interested in using Microsoft Intune more thoroughly to manage your estate, get in touch with us to find out more.
We can help you assess your current environment, determine a strategy for how best to manage your devices, and device whether Microsoft Intune, SCCM or a combination of the two will best meet your needs and requirements.