Intune & MECM Co-management

Question

Hi, I am in testing phase of Intune & MECM Co-management (worked a lot with MECM but new in Intune territory). There are 2 test Windows 10 1809 machines (VM & Physical). Device Configuration (Endpoint Protection/Resource access policies) and Windows Update policies workloads are set to Pilot Intune and staged to collection containing those 2 test machines. For testing purposes, I assigned AV (Defender) policy/Windows 10 Update ring profile to group containing those 2 test machines.

What if I set only some settings in Intune AV policy and not all defined in MECM antimalware policy deployed before to these machines (leaving as not configured)? I assume that settings defined in Intune AV policy will take precedence over same settings defined in MECM antimalware policy in case of the conflict? How to check if test machine got Defender definition updates from "Intune"?

Regarding Windows 10 Update Rings, physical test machine got quality/feature updates and now is running Windows 10 2004 while on virtual test machine nothing happened - it is still at 1809 and quality updates for 1809 were not automatically installed. My idea is to achieve automatic installation of quality updates after some deadline with version staying at 1809.

Any help would be appreciated.

Answer 1

@Bojan Zivkovic , From your description, I find we have configured AV policy and windows update ring policy for two test machines. It seems there are two issues.Please understand that to make the thread not confused. we only focus on one issue in a thread. Here, we will focus on the windows update ring issue. For the AV policy issue, we can check the Device status under the AV policy to know if it is applied. If there's any error, we suggest to open a new thread to discuss. Thanks!

For the Windows 10 Update Ring issue, I know one physical machine is updated to Windows 10 2004. For the virtual machine, it is still at Windows 10 1809 and no updates are installed. if there's any misunderstanding, feel free to let us know.

We suggest to go to the virtual machine, Settings->Accounts->Access work or school- click the account, choose info and click sync to sync intune policy. Wait the policy synced and restart the machine. check if we can get the new updates.

However, if the issue still persists, we suggest to collect the following information:

1. Go to the windows 10 update Rings policy in Intune, check the device status to see if there's any failure and see the detailed setting failure.
2. Go to Intune portal, Devices find the affected virtual device. check if the workloads are transferred to intune.
   
3. On the affected virtual machine, go to Settings -> Updates and Security -> Windows Update -> Advanced Options, Click View configured update policies, then verify that the policy type is Mobile Device Management:

Please check the above information and if there's any update, feel free to let us know.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

I did the following:

1. Synced policy
2. Restarted VM
3. Checked for updates - only update for Defender was downloaded/installed
4. Checked deployment status of Windows 10 Update Ring is succeeded
5. Checked Intune managed workloads on VM: Resource Access Profiles; Device Configuration; Windows Update for Business; Endpoint Protection
6. Checked update policies - many policies there, GPO and MDM type, same as on physical box I guess since they are in the same OU

Answer 3

Answer 4

Maybe this can help as well.

Answer 5

And on VM I do not have any REG_SZ entry in given registry location - there are more below these caught by snippet: