To deploy updates for Intune-only managed devices, you have to use Windows Update for Business rings. This is a good thing – using update rings sets you up for proactively monitoring and managing Windows throughout the organization. They require that you create pilot users (who validate the update across the org) before you deploy broadly, ensuring that the update will succeed. Today we’ll be going over configuring update rings in the MEM portal. Part of the reason I wanted to cover this was that users want to be in control. Start by launching the MEM portal, then click Devices > Windows 10 update rings. Let’s create a new ring by click + Create. Provide a name and description as well (you’ll want to have a few rings in your org, so name them well!) Then we can select options for the update ring. First, let’s start with the Update settings. Channel wise, SAC-T no longer really exists (https://docs.microsoft.com/en-us/windows/release-information/ ), so for our general pilot group we’ll use Semi-Annual Channel. In this ring I’ll leave Quality and Feature updates to 0 day delay (if I had a second group, for feature updates I’d set it as 30, and then the next group as 60, etc.). What we really care about is the User experience settings. Here’s what Automatic update behavior means:
So here’s my argument for why you should select Auto install at maintenance time and Require user’s approval to restart outside of work hours. This will install updates if 1) it’s past the Active hours time or 2) the user clicks Check for Windows updates. So we’re already not taking up bandwidth or hogging the CPU when it’s inconvenient for the user. Then, it will notify the user that they need to reboot to complete the update – but won’t, even if they sleep the device, unless they initiate the reboot! Think of a scenario where a user stays late at the office and then plans to start early the next day to finish a critical project. Since they stayed after hours, the update is already installed in the background – just waiting for “when the user isn’t using the device” to complete the install. Normally, once they sleep the device that night it will automatically install the update! And when they wake up the device the next day, they’ll be presented with a blank desktop (potentially losing some data) or a screen completing the install and taking more of their time. That’s why I recommend they should be given the option to delay – to prevent the scenario above. Selecting “Require user’s approval to restart outside of work hours” puts the user in control of when they update their device. Feel free to change the reminder times, too. Some organizations may work better with a 4 or 8 hour dismissible reminder. That way users are reminded during the same work day. You may be thinking – but what if the users ignores the update, or doesn’t see it? Here are all the places the feature update shows up – it’s almost impossible to ignore! And if they do ignore the update for 7 days, then they’ll get a 60 minute (permanent) warning before it automatically reboots. More than enough time to save your work before the Feature update! And for those looking at reporting, click on End user update status in the MEM portal to see which updates devices have applied: Have a different way to configure Update rings for your organization? Let us know below! |