How to patch Windows 10 devices using Intune

Mitul Patel 0 Reputation points
2024-07-31T09:25:21.53+00:00

Hi all, hope you are well? We have a huge number of Windows 10 devices shown as exposed with vulnerabilities and need immediate attention on the Defender portal. We also have Windows 10 Update rings configured on Intune portal but not 100% certain if it is working as expected despite showing as succeeded on the devices. How can we patch the devices using Intune? Thank you.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,924 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,403 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,171 questions
{count} votes

2 answers

Sort by: Most helpful
  1. glebgreenspan 2,235 Reputation points
    2024-07-31T15:01:34.3566667+00:00

    Hello Mitul

    1. Check Update Ring Configuration:
      • Log in to the Microsoft Endpoint Manager Admin Center.
      • Navigate to Devices > Windows > Update rings for Windows 10 and later.
      • Check the details of your update rings, including deployment schedule, deferral periods, and active settings. Ensure they are configured to deploy updates in a timely manner.
    2. Confirm Deployment Status:
      • Under Devices > Windows > Update rings for Windows 10 and later, check the Device Status for each ring to confirm that devices are indeed receiving the updates.
      • If devices show as “succeeded” but still have vulnerabilities, ensure that the correct updates are included in the ring criteria.

    Step 2: Force Windows Update Compliance

    1. Use Intune to Trigger Update Check:
      • On the affected devices, you can manually force an update check. Ask users to do the following:
        1. Go to **Settings > Update & Security > Windows Update**.
        
              1. Click on **Check for updates**. This will prompt the device to check for and download any pending updates.
        
              1. **Review Update History**:
        
                 - Users can also check the **Update History** to see if updates are installed or if there are any that failed to install.
        

    Step 3: Assess and Remediate Vulnerabilities

    1. Review Defender Security Center:
      • Navigate to the Microsoft Defender Security Center and look under Devices to see the detailed list of exposed vulnerabilities. This often includes critical updates that need to be addressed.
      1. Assess Compliance:
        • In the Endpoint Manager, check the Devices > Monitor > Device compliance section to view the compliance status of devices. Identify non-compliant devices and determine the necessary updates.
        1. Use Endpoint Analytics:
          • If you have Endpoint Analytics enabled, review reports that may provide insights into update status, including those that require attention.

    Step 4: Use Intune for Additional Management

    1. Create a Compliance Policy:
      • If not already set, create compliance policies that require devices to be fully updated. This can include settings that enforce update compliance as a requirement for access to resources.
        • Navigate to Devices > Compliance policies > Policies.
        1. Implement Update Policies:
          • Consider creating or modifying Feature update policies and Quality update policies in Intune to ensure that devices are promptly receiving important updates for security.

    Step 5: Monitor and Communicate

    1. Monitor Regularly:
      • Regularly check the Devices blade and the Updates section in Intune to keep track of updates and compliance.
      1. User Communication:
        • Inform users about the importance of keeping their devices updated and provide them with instructions to check for updates manually if needed.

    Step 6: Review Silent Upgrade Options

    1. Consider Auto-Upgrade Policies:
      • In addition to manually checking, you can consider configuring Windows Autopilot or using Windows Update for Business policies to ensure devices can auto-upgrade as new updates become available.
      • Check Update Ring Configuration:
        - Log in to the **Microsoft Endpoint Manager Admin Center**.
        
              - Navigate to **Devices > Windows > Update rings for Windows 10 and later**.
        
                    - Check the details of your update rings, including **deployment schedule**, **deferral periods**, and **active settings**. Ensure they are configured to deploy updates in a timely manner.
        
                    - **Confirm Deployment Status**:
        
                          - Under **Devices > Windows > Update rings for Windows 10 and later**, check the **Device Status** for each ring to confirm that devices are indeed receiving the updates.
        
                                - If devices show as “succeeded” but still have vulnerabilities, ensure that the correct updates are included in the ring criteria.
        
                                - Step 2: Force Windows Update Compliance
        
                                - **Use Intune to Trigger Update Check**:
        
                                      - On the affected devices, you can manually force an update check. Ask users to do the following:
        
                                               1. Go to **Settings > Update & Security > Windows Update**.
        
                                                        1. Click on **Check for updates**. This will prompt the device to check for and download any pending updates.
        
                                                        - **Review Update History**:
        
                                                              - Users can also check the **Update History** to see if updates are installed or if there are any that failed to install.
        
                                                              - Step 3: Assess and Remediate Vulnerabilities
        
                                                              - **Review Defender Security Center**:
        
                                                                    - Navigate to the **Microsoft Defender Security Center** and look under **Devices** to see the detailed list of exposed vulnerabilities. This often includes critical updates that need to be addressed.
        
                                                                    - **Assess Compliance**:
        
                                                                          - In the Endpoint Manager, check the **Devices > Monitor > Device compliance** section to view the compliance status of devices. Identify non-compliant devices and determine the necessary updates.
        
                                                                          - **Use Endpoint Analytics**:
        
                                                                                - If you have **Endpoint Analytics** enabled, review reports that may provide insights into update status, including those that require attention.
        
                                                                                - Step 4: Use Intune for Additional Management
        
                                                                                - **Create a Compliance Policy**:
        
                                                                                      - If not already set, create compliance policies that require devices to be fully updated. This can include settings that enforce update compliance as a requirement for access to resources.
        
                                                                                            - Navigate to **Devices > Compliance policies > Policies**.
        
                                                                                            - **Implement Update Policies**:
        
                                                                                                  - Consider creating or modifying **Feature update policies** and **Quality update policies** in Intune to ensure that devices are promptly receiving important updates for security.
        
                                                                                                  - Step 5: Monitor and Communicate
        
                                                                                                  - **Monitor Regularly**:
        
                                                                                                        - Regularly check the **Devices blade** and the **Updates** section in Intune to keep track of updates and compliance.
        
                                                                                                        - **User Communication**:
        
                                                                                                              - Inform users about the importance of keeping their devices updated and provide them with instructions to check for updates manually if needed.
        
                                                                                                              - Step 6: Review Silent Upgrade Options
        
      • Consider Auto-Upgrade Policies:
      • In addition to manually checking, you can consider configuring Windows Autopilot or using Windows Update for Business policies to ensure devices can auto-upgrade as new updates become available.
    0 comments No comments

  2. Neuvi Jiang 1,375 Reputation points Microsoft Vendor
    2024-08-02T07:37:47.69+00:00

    Hi Mitul Patel,

    Thank you for posting in the Q&A Forums.

    First, you need to verify that the update channel policy in Intune is properly configured and deployed to the target device.

    Check the policy configuration:

    Log in to the Microsoft Intune Management Center.

    Navigate to Devices > Windows > Update Channel (for Windows 10 and later).

    Check the update channel policies that have been created to ensure that they are configured with the appropriate update behavior (e.g., allow quality updates, feature updates, delay periods, etc.).

    Confirm policy assignments:

    Ensure that the update channel policy has been assigned to the user group or device group that contains the target Windows 10 devices.

    1. Verify device status

    In the Intune Management Center, you can view the update status of devices to ensure that they have received and applied updates.

    To view device status:

    In the Intune Management Center, navigate to Devices > All Devices.

    Select one or more devices to view the status of their Update Channel policy.

    Use the Device and User Check Status section to view a device's update history and application status in detail.

    1. Troubleshooting Common Problems

    If a device is not receiving updates as expected, there are some common issues that may need to be addressed:

    Network issues:

    Ensure that the device can connect to the Internet or an internal update server.

    Check if any firewall or proxy settings are blocking update traffic.

    Policy conflicts:

    Check if there are other policies (such as Group Policy Object GPOs) that conflict with Intune policies.

    Use the gpresult command to view and resolve possible conflicts.

    Windows Update service:

    Ensure that the Windows Update service is running and has not been disabled.

    If necessary, manually restart the Windows Update service.

    1. Monitoring and Reporting

    Intune provides rich reporting capabilities for monitoring the update status and compliance of devices.

    To use the reporting features:

    Navigate to Devices > Windows > Update Channel and select View Reports "View Reports.

    View the report to see which devices have received updates and which have not.

    Set up alerts:

    Configure alerts to receive notifications when devices do not receive updates on time.

    1. Force Updates

    If some devices fail to receive updates for some reason, consider using Intune's Remote Action feature to force an update.

    Trigger updates remotely:

    Use Intune's Remote Actions feature to trigger a Windows Update scan and installation on your device.

    Best regards

    NeuviJ

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.