Windows quality updates

Service level objective

Microsoft Managed Desktop aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release.

Device eligibility

For a device to be eligible for Windows quality updates as a part of Microsoft Managed Desktop they must meet the following criteria:

Criteria Description
Activity Devices must have at least six hours of usage, with at least two hours being continuous.
Intune sync Devices must have checked with Intune within the last five days.
Storage space Devices must have more than one GB (GigaBytes) of free storage space.
Deployed Microsoft Managed Desktop doesn't update devices that haven't yet been deployed.
Internet connectivity Devices must have a steady internet connection, and access to Windows update endpoints.
Windows edition Devices must be on a Windows edition supported by Microsoft Managed Desktop. For more information, see Prerequisites.
Mobile device management (MDM) policy conflict Devices must not have deployed any policies that would prevent device management. For more information, see Conflicting and unsupported policies.
Group policy conflict Devices must not have group policies deployed which would prevent device management. For more information, see Group policy

Windows quality update releases

Microsoft Managed Desktop deploys the B release of Windows quality updates that are released on the second Tuesday of each month.

To release updates to devices in a gradual manner, Microsoft Managed Desktop deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates:

Policy Description
Deferrals Deferral policies delay the time the update is offered to the device by a specific number of days. The "offer" date for Windows quality updates is equal to the number of days specified in the deferral policy after the second Tuesday of each month.
Deadlines Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device.
Grace periods This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online.

Important

Deploying deferral, deadline, or grace period policies which conflict with Microsoft Managed Desktop's policies will cause a device to be considered ineligible for management, it will still receive policies from Microsoft Managed Desktop that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our service level objective.

Microsoft Managed Desktop configures these policies differently across deployment rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see Microsoft Managed Desktop deployment rings.

Release process timeline

Release management

In the Release management blade, you can:

Release schedule

For each deployment ring, the Release schedule tab contains:

  • The status of the update. Releases will appear as Active. The update schedule is based on the values of the Windows 10 Update Ring policies, which have been configured on your behalf.
  • The date the update is available.
  • The target completion date of the update.
  • In the Release schedule tab, you can either Pause and/or Resume a Windows quality update release.

Expedited releases

Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Microsoft Managed Desktop assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Microsoft Managed Desktop may choose to expedite at any time during the release.

When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Microsoft Managed Desktop greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly.

Release type Group Deferral Deadline Grace period
Standard release Test

First

Fast

Broad

0

1

6

9

0

2

2

5

0

2

2

2

Expedited release All devices 0 1 1

Turn off service-driven expedited quality update releases

Microsoft Managed Desktop provides the option to turn off of service-driven expedited quality updates.

By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Microsoft Managed Desktop-enrolled devices using Microsoft Intune.

To turn off service-driven expedited quality updates:

  1. Go to the Microsoft Intune admin center > Devices.
  2. Under Microsoft Managed Desktop > Release management, go to the Release settings tab and turn off the Expedited quality updates setting.

Note

Microsoft Managed Desktop doesn't allow customers to request expedited releases.

Out of Band releases

Microsoft Managed Desktop schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule.

To view deployed Out of Band quality updates:

  1. Go to the Microsoft Intune admin center > Devices > Microsoft Managed Desktop > Release management.
  2. Under the Release Announcements tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates.

Note

Announcements will be removed from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused.

Pausing and resuming a release

Caution

You should only pause and resume Windows quality updates on Microsoft Managed Desktop devices using the Microsoft Managed Desktop Release management blade. Do not use the Microsoft Intune end-user experience flows to pause or resume Microsoft Managed Desktop devices. If you need assistance with pausing and resuming updates, please submit a support request.

The service-level pause of updates is driven by the various software update deployment-related signals Microsoft Managed Desktop receives from Windows Update for Business, and several other product groups within Microsoft.

If Microsoft Managed Desktop detects a significant issue with a release, we may decide to pause that release.

Important

Pausing or resuming an update can take up to eight hours to be applied to devices. Microsoft Managed Desktop uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

For more information, see how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune.

To pause or resume a Windows quality update:

  1. Go to the Microsoft Intune admin center.
  2. Select Devices from the left navigation menu.
  3. Under the Microsoft Managed Desktop section, select Release management.
  4. In the Release management blade, select either: Pause or Resume.
  5. Select the update type you would like to pause or resume.
  6. Select a reason from the dropdown menu.
  7. Optional. Enter details about why you're pausing or resuming the selected update.
  8. If you're resuming an update, you can select one or more deployment rings.
  9. Select Okay.

The three following statuses are associated with paused quality updates:

Status Description
Service Pause If the Microsoft Managed Desktop service has paused an update, the release will have the Service Pause status. You must submit a support request to resume the update.
Customer Pause If you've paused an update, the release will have the Customer Pause status. The Microsoft Managed Desktop service can't overwrite an IT admin's pause. You must select Resume to resume the update.
Customer & Service Pause If you and Microsoft Managed Desktop have both paused an update, the release will have the Customer & Service Pause status. If you resume the update, and the Service Pause status still remains, you must submit a support request for Microsoft Managed Desktop to resume the update deployment on your behalf.

Remediating Ineligible and/or Not up to Date devices

To ensure your devices receive Windows quality updates, Microsoft Managed Desktop provides information on how you can remediate Ineligible Devices (Customer Actions). In addition, the Microsoft Managed Desktop service may remediate Not up to Date devices to bring them back into compliance.