I would like to give you an overview of Windows Updates for Business (WUfB). I'll show you the features it includes and the added value that Intune offers with its analytic features. With the right settings, you can replace a classic WSUS infrastructure and also save time and effort in operation.
Table of Contents
- Windows Updates for Business overview
- Configure Windows Updates for Business
- Reports in Intune
- Manage Updates with PowerShell
Windows Updates for Business overview
With Windows Update for Business (WUfB) and Windows Update for Business Deployment Service (WUfB DS)...
... yes, very long names 😉 But let's not be put off by the name.
WUfB offers you a way between fully automatic updates and an environment with a WSUS where you release each update individually. In addition, you no longer need a server, all services run entirely in the cloud.
Configure Windows Updates for Business
You can change the WUfB settings completely in Intune. The analytics features are also integrated within Intune. In addition, for the analysis, there is also the way via "Windows Update for Business reports", you can find information about these directly from Microsoft on the one hand: Now generally available: Windows Update for Business reports
Or very nicely summarized and explained by Niklas Tinner: Summarized: Windows Update for Business reports
There are 3 update profile types you can configure:
- update rings
- Postpone quality updates
- Postpone feature updates (if no feature update profile is in use)
- Define deadlines for quality and feature updates
- feature updates
- Specify desired feature update status (freeze status)
- quality updates
- Distribute emergency updates immediately and without restrictions by feature or update ring
Update Rings
With the update rings, you have the option of automating the updates and defining the time after which they are offered to the device. There is also the "Deadline Settings" function, which forces a device to carry out updates after a defined period of time and, if necessary, to force a restart.
You can define any number of update rings here and assign them to groups or all devices or users. I recommend maintaining at least two Update Rings; One for the test/pilot/fast group and one for the majority of devices, a broad or general ring.
The picture is from the "Autopatch" service, but shows the principle very well.
A configuration can then look like this, for example:
Here also the configurations of the "GENERAL" update ring. I assigned this to the standard group (includes all Autopilot registered and Windows MDM managed devices) and excluded the groups for the faster rings:
If you decide to also distribute the feature updates according to the ring principle, please set the value for "Feature update deferral period" to "0".
Feature Updates
The Feature Update Policy allows you to specify which Windows version you want on which devices. You can choose up to which release Windows should be updated. The assigned release is then fixed for the device. It is also not possible to downgrade.
If you do not define any feature updates, the settings from your update rings will apply. This means that if you set 0 days for "Feature Deferral", the end devices will receive the feature update as soon as it is available for them.
Do you define under "Devices > Windows > Feature updates for Windows 10 and later" but a guideline, this is weighted more heavily than the update ring. In other words, the end device will not update itself beyond this guideline.
Below is an example configuration of the feature update rings.
In the support column you can see very quickly whether a Windows version is still supported, will end soon or is out of support.
You notice that the insider ring is missing, I did it that way on purpose, because they should always get the latest without me having to worry about the release.
Here is also the content of one of the guidelines.
You have the option of defining the following settings:
- Release (Windows 11 stands for Windows 11 22H1)
- How soon should the update be available?
- Immediate: immediately
- Specific Date: Date from which the update is offered to the end device
- Gradually: Distribute the update over a certain period of time.
(The start date must be at least two days in the future from today)- Groups ((Start - End) / "Days between") are automatically formed here and assigned randomly and evenly.
Quality Updates / Expedite Updates
The update ring is not optimal for every update. It may be the case that an update has to be installed immediately due to a zero-day vulnerability. That's exactly what the Quality Updates (also called "Expedite Updates") guidelines are for, which ignores all "deferrals" and reboot restrictions.
To create it, navigate to: Devices > Windows > Quality updates for Windows 10 and later
You don't have to do much in the directive itself. You only define a name, which CU is affected and when a restart is required.
Reports in Intune
Intune offers you reports with insight into Feature Updates and Expedite Updates. This gives you a quick overview of the update statuses in your area.
The reports only show you something if there is a corresponding policy. So if you only configured the update rings, you won't see anything in the reports.
Very important, in order to use the feature, you must have configured the "Windows health monitoring" policy.
You create these under "Devices > Windows > Configuration profiles".
In the policy itself, you must at least enable "Windows updates".
You can find the reports at: Reports > Windows updates
When you open the reports, always press the refresh button first, otherwise the status displayed could be an old one.
After a short time you will then be shown a general overview of the stands:
You can use the Report item to display additional, granular reports.
Don't let the "Enable Windows health..." message confuse you. This is also there if you have already distributed the policy. To generate the report, you simply have to select a policy and then the "Generate report" button becomes clickable.
After a few more seconds you will see the report with all the details:
Community Tool for Reports
Would you like to get a lot more out of the data from your devices and display them beautifully?
Then you will find a very nice and clear solution here: Windows Update Compliance Dashboard V8.0 - MSEndpointMgr
Manage Updates with PowerShell
You want to create your own update solution/automation based on the WUfB DS?
Yes, you can do it!
You can find out how to get started here: PowerShell for the Windows Update for Business deployment service - Microsoft Community Hub
In addition, I will go into more detail about the PowerShell / Graph possibilities with WHfB in a future post.