Share via

How to patch Windows 10 devices using Intune

Mitul Patel 0 Reputation points
2024-07-31T09:25:21.53+00:00

Hi all, hope you are well? We have a huge number of Windows 10 devices shown as exposed with vulnerabilities and need immediate attention on the Defender portal. We also have Windows 10 Update rings configured on Intune portal but not 100% certain if it is working as expected despite showing as succeeded on the devices. How can we patch the devices using Intune? Thank you.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,851 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,286 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,769 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. glebgreenspan 1,990 Reputation points
    2024-07-31T15:01:34.3566667+00:00

    Hello Mitul

    1. Check Update Ring Configuration:
      • Log in to the Microsoft Endpoint Manager Admin Center.
      • Navigate to Devices > Windows > Update rings for Windows 10 and later.
      • Check the details of your update rings, including deployment schedule, deferral periods, and active settings. Ensure they are configured to deploy updates in a timely manner.
    2. Confirm Deployment Status:
      • Under Devices > Windows > Update rings for Windows 10 and later, check the Device Status for each ring to confirm that devices are indeed receiving the updates.
      • If devices show as “succeeded” but still have vulnerabilities, ensure that the correct updates are included in the ring criteria.

    Step 2: Force Windows Update Compliance

    1. Use Intune to Trigger Update Check:
      • On the affected devices, you can manually force an update check. Ask users to do the following: 
        1. Go to **Settings > Update & Security > Windows Update**.

      1. Click on **Check for updates**. This will prompt the device to check for and download any pending updates.

      1. **Review Update History**:

         - Users can also check the **Update History** to see if updates are installed or if there are any that failed to install.

    Step 3: Assess and Remediate Vulnerabilities

    1. Review Defender Security Center:
      • Navigate to the Microsoft Defender Security Center and look under Devices to see the detailed list of exposed vulnerabilities. This often includes critical updates that need to be addressed.
      1. Assess Compliance:
        • In the Endpoint Manager, check the Devices > Monitor > Device compliance section to view the compliance status of devices. Identify non-compliant devices and determine the necessary updates.
        1. Use Endpoint Analytics:
          • If you have Endpoint Analytics enabled, review reports that may provide insights into update status, including those that require attention.

    Step 4: Use Intune for Additional Management

    1. Create a Compliance Policy:
      • If not already set, create compliance policies that require devices to be fully updated. This can include settings that enforce update compliance as a requirement for access to resources.
        • Navigate to Devices > Compliance policies > Policies.
        1. Implement Update Policies:
          • Consider creating or modifying Feature update policies and Quality update policies in Intune to ensure that devices are promptly receiving important updates for security.

    Step 5: Monitor and Communicate

    1. Monitor Regularly:
      • Regularly check the Devices blade and the Updates section in Intune to keep track of updates and compliance.
      1. User Communication:
        • Inform users about the importance of keeping their devices updated and provide them with instructions to check for updates manually if needed.

    Step 6: Review Silent Upgrade Options

    1. Consider Auto-Upgrade Policies:
      • In addition to manually checking, you can consider configuring Windows Autopilot or using Windows Update for Business policies to ensure devices can auto-upgrade as new updates become available.
      • Check Update Ring Configuration: 
        - Log in to the **Microsoft Endpoint Manager Admin Center**.

      - Navigate to **Devices > Windows > Update rings for Windows 10 and later**.

            - Check the details of your update rings, including **deployment schedule**, **deferral periods**, and **active settings**. Ensure they are configured to deploy updates in a timely manner.

            - **Confirm Deployment Status**:

                  - Under **Devices > Windows > Update rings for Windows 10 and later**, check the **Device Status** for each ring to confirm that devices are indeed receiving the updates.

                        - If devices show as “succeeded” but still have vulnerabilities, ensure that the correct updates are included in the ring criteria.

                        - Step 2: Force Windows Update Compliance

                        - **Use Intune to Trigger Update Check**:

                              - On the affected devices, you can manually force an update check. Ask users to do the following:

                                       1. Go to **Settings > Update & Security > Windows Update**.

                                                1. Click on **Check for updates**. This will prompt the device to check for and download any pending updates.

                                                - **Review Update History**:

                                                      - Users can also check the **Update History** to see if updates are installed or if there are any that failed to install.

                                                      - Step 3: Assess and Remediate Vulnerabilities

                                                      - **Review Defender Security Center**:

                                                            - Navigate to the **Microsoft Defender Security Center** and look under **Devices** to see the detailed list of exposed vulnerabilities. This often includes critical updates that need to be addressed.

                                                            - **Assess Compliance**:

                                                                  - In the Endpoint Manager, check the **Devices > Monitor > Device compliance** section to view the compliance status of devices. Identify non-compliant devices and determine the necessary updates.

                                                                  - **Use Endpoint Analytics**:

                                                                        - If you have **Endpoint Analytics** enabled, review reports that may provide insights into update status, including those that require attention.

                                                                        - Step 4: Use Intune for Additional Management

                                                                        - **Create a Compliance Policy**:

                                                                              - If not already set, create compliance policies that require devices to be fully updated. This can include settings that enforce update compliance as a requirement for access to resources.

                                                                                    - Navigate to **Devices > Compliance policies > Policies**.

                                                                                    - **Implement Update Policies**:

                                                                                          - Consider creating or modifying **Feature update policies** and **Quality update policies** in Intune to ensure that devices are promptly receiving important updates for security.

                                                                                          - Step 5: Monitor and Communicate

                                                                                          - **Monitor Regularly**:

                                                                                                - Regularly check the **Devices blade** and the **Updates** section in Intune to keep track of updates and compliance.

                                                                                                - **User Communication**:

                                                                                                      - Inform users about the importance of keeping their devices updated and provide them with instructions to check for updates manually if needed.

                                                                                                      - Step 6: Review Silent Upgrade Options
      • Consider Auto-Upgrade Policies:
      • In addition to manually checking, you can consider configuring Windows Autopilot or using Windows Update for Business policies to ensure devices can auto-upgrade as new updates become available.
    0 comments