Any way to handle windows patching on devices on another domain?

Eccup Reservoir 66 Reputation points
2023-11-17T10:02:24.9133333+00:00

Dear Microsoft Q&A Community,

I'm currently facing a challenge in managing Windows updates for end-user devices running Windows 10/11. These devices are part of a different domain, which we don't have direct connectivity with. Our preference is to utilize native Microsoft solutions rather than third-party tools for this task.

From my initial research, it seems like Azure Arc could be a potential solution. It allows devices to be onboarded irrespective of their domain status. However, I'm concerned about its suitability, given that these end-user devices aren't always online.

Could anyone share insights or recommendations on how best to approach this scenario using Microsoft tools? Any advice or alternative solutions would be greatly appreciated.

Thank you in advance for your help!

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
414 questions
Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
468 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,061 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Crystal-MSFT 48,591 Reputation points Microsoft Vendor
    2023-11-20T01:28:24.37+00:00

    @Eccup Reservoir, Thanks for posting in Q&A. From Intune side, we can manage windows update via Update rings for Windows 10 and later, Feature updates policy, Quality updates policy and Driver updates policy. Here are a link with more details:

    https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-for-business-configure

    For windows update ring policy, Intune only define an update strategy. You still need to use your existing update solution such as Windows Update or WSUS to obtain the actual updates. I Noice the devices not always online. If the device is accessible in their domain, you can consider using WSUS as windows solution I think

    https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-troubleshooting-windows-10-update-ring-policies/ba-p/714046#:~:text=Support%20Tip%3A%20Troubleshooting%20Windows%2010%20Update%20Ring%20Policies,getting%20applied%20on%20the%20client%3F%20...%20See%20More.

    Tio understand more about WSUS, you can contact WSUS support to get more help.

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Eccup Reservoir 66 Reputation points
    2023-11-22T12:12:44.02+00:00

    This doesn't address my scenario I'm afraid - I don't think a device on a different domain and different network can connect with our WSUS server?

    Also - doesn't help with 3rd party software patching (which can be done with InTune)


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.