Jump to content

Feature and expedited update management in Intune now generally available


Recommended Posts

Guest David_Guyer
Posted

We are excited to announce that Windows feature updates and expedited quality updates in Microsoft Intune are now generally available! These features use the Windows Update for Business deployment service to provide greater control over specifying updates to devices. Additionally, you can take advantage of rich reporting that provides detailed status and error state for each device in the policy.

 

Let's jump in to learn more about:

 

Feature updates

 

 

A feature update profile enables you to control which Windows feature update is deployed to your devices. The devices will stay on that version until you update the policy or assign them to a new feature update policy targeting a newer update. Choose from all currently supported versions of Windows 10 and Windows 11.

 

largevv2px999.png.7b83a76bd86ed3401e73c885c9b9b2d9.pngA screenshot of feature update deployment management in the Endpoint Manager admin center

 

Notice that you can choose from among three different rollout options. The default option is to make the update available to all devices as soon as possible after the policy is saved.

 

565x178vv2.png.0cb62366332c2d0e58e9f392da853742.pngA screenshot of the rollout options for the feature update policy

 

Alternatively, you can specify the date to make the update available to all devices in the policy. This makes rollout much easier to manage when feature updates start. No need to look for the release date on the web and calculate the number of deferral days to get the updates to start the day you want. Just set the date in the policy, and you're done!

 

Finally, use a gradual rollout for a more controlled and intelligent solution. A gradual rollout enables you to automatically spread the feature update across all your devices over a time frame. Simply specify the first and last dates that groups of devices will be offered the update, as well as the number of days between the groups. The deployment service automatically tracks the addition or removal of devices and evenly distributes the update over the deployment time frame.

 

 


Note: The Final group availability is not the day the rollout ends. It's only the date when the last group of the devices begins to update. The devices scheduled for the last day still need to download, install, and restart to complete the update. How long that takes depends on your deadline settings in Update Rings (more on this below) and user behavior.

 

Check out David Mebane's blog post to learn even more about how gradual rollouts work. For more on feature updates, consult our Intune documentation.

 

Expedited quality updates

 

 

When you need to deploy a quality update faster than normal, expedited updates can help. Whether you use them in the context of a zero-day vulnerability or an urgent quality fix for a set of devices, expedited updates temporarily override deferrals and other settings to install updates as quickly as possible. Once completed, they restore to the normal settings automatically, so you don't have to.

 

Find these settings in the Endpoint Manager admin center > Home > Devices > Quality updates for Windows 10 and later > Create quality update profile. Besides the standard Intune settings, like the name, description, and assignments, there are two settings specific to expedited quality updates.

 

largevv2px999.png.649394e7629edd3ca9a0dfd83b84df5a.pngA screenshot of the Create quality update profile settings pane in the Endpoint Manager admin center

 

The first setting is the quality update release to check under Expedite installation of quality update if device OS version less than. Select the update required to be expedited from the drop-down list, such as the November 2022 update illustrated above. Here is what you can expect in the common scenarios:

 

  • If the device is already on the latest approved update, then it will not be expedited.
  • If the device is on an older update, then it will be expedited to the latest approved update.
  • If the device is part of an older policy with an older targeted update, then it will still be expedited to the latest update available.

 

The other setting is the number of days until the restart is enforced. This allows the user to determine when to restart the device to apply the update. They will be notified and can either schedule the restart or let the normal restart behavior (outside of active hours) complete the update. Once the selected period has passed, the restart will be enforced, which could happen in the middle of the workday. As a result, the longer you give users to restart on their own schedule, the happier they might be, but the longer it will take to deploy the update.

 

 


Note: Use caution with the "0 days" setting. Use it only in severe issue cases when you need devices to restart as soon as possible after the update requires a restart. Users are only given a 15-minute warning before the restart occurs, which can significantly impact user productivity and satisfaction.

 

To learn more about expedited quality updates, check out Surabhi Calla's excellent blog posts:

 

 

For Intune documentation, see Use Intune to expedite Windows quality updates.

 

Feature update and expedited quality update reports

 

 

Both feature updates and expedited quality updates have the same basic reports in Intune.

 

 


Note: Follow instructions in Use Update Compliance reports for Windows Updates in Microsoft Intune to enable data collection from the client. This will ensure access and report of detailed client states.

 

Let's learn about the overall Windows feature update report and the Windows expedited update report. Find both under the Reports menu > Windows updates.

 

largevv2px999.png.6f79861e8f0817d083acda07ebd4775d.pngA screenshot of the Windows 10 and later feature updates report pane in the Endpoint Manager admin center

 

For both reports, begin with an overview of the policies results in the donut chart. Refer to the bottom of the pane for per-device details. Check the Update State and Update Substate columns to see where each device is in the update process: Installed the update, Downloading, Waiting to restart, and so on.

 

Review device alerts under Alert Type (more on these later), but keep in mind that only the most recently received alert shows up. To get more information on all the alerts for a device, as well as more details, go to the Feature update failures or Expedited update failures reports. Locate them under Devices > Monitor.

 

largevv2px999.png.fdf535d973532e3e765ba9765e9ab56d.pngA screenshot of a report showing each device and alert in the selected policy

 

An alert is determined by client data and covers service generated issues, device generated error codes, and other reasons a device may not be updating. It provides a recognizable name, so you don't have to understand hex error codes. For example, low disk errors can occur multiple times in the update process. While each has a distinct error code, the alert message will simply state "Low Disk".

 

Click on the alert in the report for a more detailed description of its causes and a recommended remediation step. In the example above, notice an alert derived from diagnostic data that doesn't have an error code. The error type "Insufficient Update Connectivity" essentially marks devices that have severely limited active and connected time. And now you know why these devices are unlikely to update successfully.

 

Best practices for managing Windows updates in Intune

 

 

Consider the following best practices to make the most of feature and quality updates in Intune with update rings. For a refresher, please review Update rings for Windows 10 and later policy in Intune.

 

  • Feature update profiles: In the case of feature updates, we recommend using feature update profiles instead of feature update deferrals in update rings. They provide you with better control over deployment of feature updates, rollout options, and detailed reporting.
  • Feature update deferral: To ensure the feature update profiles work as expected, set the feature update deferral to 0 days.
     

    Note: We recommend adding devices to the feature update profiles first, before setting the feature update deferral to 0 days. That is to ensure devices are enrolled and managed by the Windows Update for Business deployment service. Failure to do so could cause a device to get a newer feature update than intended. Verify that devices are enrolled by checking the Windows feature updates report, specifically those devices that have reached the OfferReady state.

  • Other feature update settings: Set the feature update deadline and other settings as you'd like, since they still control behavior on the device once the update is offered to the device.
  • Pause to troubleshoot feature update rings: You can also use the pause setting in update rings while troubleshooting feature update issues. The other option is to change the start date in the feature update profile to a future date, effectively pausing the policy.
  • Defer or expedite quality updates: For now, continue using quality update deferral settings in the update rings policies to keep devices updated monthly. Use expedited quality updates for those special cases where you need to override and go faster than your normal settings in update rings.

Conclusion

 

 

Try your hand with additional controls over specifying updates to devices and utilizing rich reporting in Microsoft Intune. This is an exciting next step in our journey to enhance Windows Update for Business. We are working hard to bring the benefits of the Windows Update for Business deployment service to additional update types in Intune, so keep an eye out for more updates in the Windows IT Pro Blog!

 

 

Continue the conversation. Find best practices. Join the Windows Tech Community.

Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro on Twitter.

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...