Manage Windows 10 and Windows 11 software updates in Intune
Use Microsoft Intune to manage the install of Windows 10/11 software updates from Windows Update for Business.
By using Windows Update for Business, you simplify the update management experience. You don't need to approve individual updates for groups of devices and can manage risk in your environments by configuring an update rollout strategy. With Intune, you can configure update settings on devices and configure deferral of update installation. You can also prevent devices from installing features from new Windows versions to help keep them stable, while allowing those devices to continue installing updates for quality and security.
Intune stores only the update policy assignments, not the updates themselves. When you save a policy, Intune passes the configuration details to Windows Update, which then determines which updates will be offered to each device. Devices access Windows Update directly for the updates.
Learn more about Windows feature and quality updates in the Windows documentation.
Policy types to manage updates
Intune provides the following policy types to manage updates, which you assign to groups of devices:
Update rings for Windows 10 and later: This policy is a collection of settings that configures when devices that run Windows 10 and Windows 11 updates get installed. Update ring policies are supported for devices that run Windows 10 version 1607 or later, and Windows 11. For more information, see Update rings policy.
Feature updates for Windows 10 and later: Use Feature updates policy updates devices to the Windows version you specify, and then freezes the feature set version on those devices. This version freeze remains in place until you choose to update them to a later Windows version. While the feature version remains static, devices can continue to install quality and security updates that are available for their feature version.
You can also use Feature updates policy to upgrade your devices that run Windows 10 to Windows 11.
Quality updates for Windows 10 and later: With Quality updates for Windows 10 and later, also referred to as Expedited updates, you can expedite the install of the most recent Windows 10 and Windows 11 security updates as quickly as possible on devices you manage with Microsoft Intune. Expedited install is accomplished without the need to pause or edit your existing monthly servicing policies. For more information, see Expedite updates policy.
Driver updates for Windows 10 and later: With Windows Driver Update Management in Microsoft Intune, you can review, approve for deployment and pause deployments of driver updates for your managed Windows 10 and Windows 11 devices. Your policies can automatically install the newest recommended driver for you, or wait for an admin to manually approve drivers before they are installed. Intune and the Windows Update for Business (WUfB) deployment service (DS) take care of the heavy lifting to identify the applicable driver updates for devices that are assigned a driver updates policy. For more information, see Driver updates policy.
Policy limitations for Workplace Joined devices
Microsoft introduced a cloud service as part of the Windows Update for Business product family, Windows Update for Business deployment service (WUfB ds). As a cloud service, WUfB ds supports device update capabilities that require a device to have an Azure Active Directory registration (AADJ devices). These capabilities aren’t supported with Workplace Join (WPJ) devices. Windows update management on WPJ devices remains supported through core Windows Update for Business (WUfB) capabilities and the Intune Update rings for Windows 10 and later policy type.
The following Intune policy types for Windows Updates use WUfB ds, which prevents their support on WPJ devices:
- Driver Updates for Windows 10 and later
- Feature Updates for Windows 10 and later
- Quality Updates for Windows 10 and later
If you support WPJ devices with Intune, the following information can help you understand the differences in capabilities based on policy type, for both WPJ devices and AADJ devices.
|Capability||WUfB via Update Ring policy||WUfB-ds via Driver, Feature, and Quality update policies|
|WPJ device support||Yes||No|
|AADJ device support||Yes||Yes|
|Scan for Updates and Restart schedules||Yes||Use Update Ring policies to manage schedules|
|Enforce Update Deadlines||Yes||Use Update Ring policies to enforce deadlines|
|Control which updates to install||Feature: Yes - Defer all feature updates by specified daysQuality: Yes - Defer all quality updates by specified daysDrivers: Yes - Allow or Block all Recommended drivers - No support for Other drivers||Feature: Yes - Manage individual updates - Specify Start Date or Gradual Rollout start and end dates. Quality: Use Update Ring policies Drivers: Yes - Manage individual Recommended and Other drivers.|
|Pause Updates||Feature: - Pause all updates Quality: - Pause all updates Drivers: - Block all updates||Feature: - Pause individual updates Quality: - Pause individual updatesDrivers: - Pause individual updates|
|Expedite Quality Update||No||Yes|
|Reports - Summary count of devices: - Feature updates - Quality updates||WUfB reports||WUfB reports|
|Reports – Detailed status: - Per Update||WUfB reports||Yes, in Intune|
Move from update ring deferrals to feature updates policy
When using Intune to manage Windows updates, it's possible to use both update rings policy with update deferrals, and feature updates policy to manage the updates you want to install on devices. If you're using feature updates, we recommend you end use of deferrals as configured in your update rings policy. Combining update ring deferrals with feature updates policy can create complexity that might delay update installations. You can continue to use the user experience settings from update rings, as they don't create issues when combined with feature updates policy.
While nothing prohibits use of both policy types to control which updates can install on a device, there's typically no advantage to doing so. When both policy types apply to a device, the conditions of both policy types must be met (be true) on the device before it's offered an applicable update. This scenario can lead to updates not installing as expected due to a block by one of the policy types.
Plan to transition
Plan to manage the change from using update ring deferrals to feature updates so that the Windows Update service can be ready to deploy the updates you expect.
When Intune policies for Windows updates are created or modified, Intune passes the policy details to Windows Update, which then determines the updates that are applicable for each device that's assigned one or more update policies.
The process to evaluate updates for devices can take up to 10 minutes to complete, and in some cases might take a bit longer.
If a device starts a scan for updates after a deferral has been set to zero or removed for the device, but before Windows Update completes the processing of the feature updates policy, that device can be offered an update you didn't plan for it to install.
Use the following process to ensure Windows Update has processed your feature updates policy before deferrals are removed.
Switch to feature updates policy
In the Microsoft Intune admin center, create a feature updates policy that configures your desired Windows version, and assign it to applicable devices.
After the saved policy is assigned to devices, it will take a few minutes for Windows Update to process the policy.
View the Windows 10 feature updates (Organizational) report for the feature update policy, and verify devices have a state of OfferReady before you proceed. Once all devices show OfferReady, Windows Update has completed processing the policy.
After devices are verified to be in the OfferReady state you can safely reconfigure the Windows 10 and later update ring policy for that same set of devices to change the setting Feature update deferral period (days) to a value of 0.
Reporting on updates
To learn about report options for Update rings policy and Windows feature updates policy, see Windows update reports.