Deploying updates and patches through Microsoft Intune is an efficient way to manage Windows feature upgrades across devices. By leveraging Intune’s feature update policies, organizations can control which version of Windows is installed on their devices, ensuring a smooth and stable update process. Whether you’re managing Windows 10 or upgrading to Windows 11, Intune provides a streamlined approach to maintaining consistency and control over device updates.
Continue Reading
Managing Windows feature updates with Intune
With Intune, administrators can select a specific Windows feature update version, such as Windows 10 version 1909 or a specific version of Windows 11, and ensure devices remain at that version. This allows organizations to maintain a consistent feature set across their devices while avoiding unnecessary disruptions from automatic updates. For devices running Windows 10, it is even possible to upgrade them to Windows 11 through these policies.
Feature update policies work seamlessly with Update Rings in Intune. While Update Rings ensure devices receive quality and security updates, the feature update policy controls the version of Windows installed, preventing devices from updating to a later version than specified in the policy. This approach ensures stability, especially for businesses with critical workflows that could be disrupted by newer Windows versions.
When a feature update policy is applied, the device updates to the specified version unless it is already running a newer version of Windows. If the device is already up to date, no changes will be made, allowing the device to continue operating with its current feature set.
Safeguard holds and feature update limitations
Sometimes, a device may not be able to install an update due to safeguard holds. Safeguard holds are temporary blocks created when known issues are detected for a specific Windows version. Once these issues are resolved, the device will be allowed to update. Administrators can monitor known issues and safeguard holds through the Windows release information.
Unlike the temporary pause option in Update Rings, which lasts for 35 days, feature update policies remain in effect until modified or removed. This ensures that devices won’t receive new feature updates unless explicitly allowed by the policy. If administrators decide to change the policy to a newer version, devices will begin receiving updates accordingly.
Prerequisites for deploying updates with Intune
To deploy feature updates using Intune, there are several prerequisites. Devices must be enrolled in Intune and joined to either Microsoft Entra or Hybrid Active Directory. Telemetry, a key reporting feature, must be enabled with a minimum setting of “Required.” Without this, devices may install a later version of Windows than intended. Additionally, for cloud-based functionality, organizations must have a valid Intune license along with a Windows Update for Business deployment service (WUfB ds) license.
Feature update policies are supported on Windows 10 and 11 editions, including Pro, Enterprise, and Education, but do not apply to versions like Windows 10/11 Enterprise LTSC. For devices running LTSC, alternative patching methods, such as WSUS or Configuration Manager, must be used.
Best practices for configuring updates
To avoid complications during updates, administrators should set the feature update deferral period to zero. This prevents any delays in feature updates caused by deferrals in the Update Rings policy. Additionally, feature update policies should not be applied during the Autopilot out-of-box experience (OOBE) but rather after the initial Windows update scan.
For co-managed devices using both Configuration Manager and Intune, there may be an initial delay in applying the feature update policy. However, this is temporary, and devices will eventually update to the intended version as configured in Intune.
How to deploy a feature update policy
Deploying a feature update policy in Intune is straightforward. After signing in to the Intune admin center, administrators can create a profile under the “Windows 10 and later updates” section and specify the feature update version they want devices to run. The rollout settings can be configured to manage when updates are available to devices. Once the policy is created, it is assigned to device groups, ensuring the right devices receive the update.
Reports can be generated to track the progress of updates, providing insights into which devices have successfully installed the update and those that still need attention. These tools give administrators full control over the deployment process and ensure devices are consistently updated according to organizational policies.
Conclusion
Managing feature updates and patches is critical for maintaining the security and performance of your organization’s devices. By utilizing Intune’s feature update policies, AVASOFT can help businesses maintain control over their Windows environments, ensuring devices stay updated without disrupting operations. Whether you’re looking to manage existing Windows 10 devices or planning an upgrade to Windows 11, Intune offers a flexible and efficient solution for all your update needs.
