**DISCLOSURE: While I am contracted to Microsoft Corporation, I am not an employee. The articles that I write are not meant to represent the company, nor are they meant to represent me as an employee or spokesman for the company. As has always been the case, all articles on this website represent me and nobody else.
If you are going to manage endpoint devices, you have to manage patches. Patch management has been a cornerstone of Windows management for as long as I have been in IT, and that is not going away anytime soon.
First there was SMS (which became SCCM and finally MECM). For smaller businesses there was System Center Essentials for a while, but that died after SCE 2010. Of course, for the much smaller organizations without System Center there has always been Windows Server Update Services (WSUS).
Of course, there are also myriad third-party management tools available, but I won’t list them here.
Suffice it to say, for the last twenty or more years there have been a series of tools available to patch Windows (and other Microsoft and third-party applications and servers). What they all have in common is that they have all required that the endpoints being patched are connected to your network. Whether that was by Ethernet cable, Wi-Fi, or VPN, you needed connectivity to the infrastructure.
I have spoken with many clients over the past year whose employees are working from home, and who do not have the remote infrastructure – or possibly even the network bandwidth – to do remote patching from their infrastructure. When then ask me what the solution is I say: “Simple… Microsoft Intune.”
Patch management from Intune is not new. I was managing the Windows patching for my immediate circle using Intune as far back as Windows 7. Back then, it looked similar to WSUS – you would approve patches and it would push them out. Today, as it is with Windows 10, things are a little different. For the most part, we are not approving individual patches. The patch management group wants us to trust that it knows what patches we need.
*During the writing of this article, Microsoft announced a new method to expedite Windows updates, essentially the ability to pick and choose patches to prioritize. Read the article here for more information.
So let’s create an update ring to keep a group of our devices connected.
Firstly let’s connect to our Microsoft Endpoint Manager admin center (https://www.endpoint.microsoft.com). In the Navigation bar, click Devices.
In the Devices | Overview screen that appears, click Windows 10 update rings (in the sub-navigation bar, under Policy). In the Devices | Windows 10 update rings screen, click +Create profile.
In the Basics tab, type a name for the update ring in the Name dialog box. If you want, you can enter a description in the box below. Click Next.
In the Update ring settings tab, I will set the following options:
Servicing channel: Semi-Annual Channel
Microsoft products update: Allow
Windows drivers: Allow
Quality update deferral period (days): 3
Feature update deferral period (days): 30
Set feature update uninstall period (2-60 days): 15
User experience settings
Automatic update behavior: Auto install and restart at maintenance time
Active hours start: 8 AM
Active hours end: 6 PM
Restart checks: Allow
Option to pause Windows updates: Enable
Option to check for Windows updates: Enable
Require user approval to dismiss restart notification: No
Remind user prior to required auto-restart with dismissible reminder (hours): 4
Remind user prior to required auto-restart with permanent reminder (minutes): 15
Change notification update level: Turn off all notifications, excluding restart warnings
Use deadline settings: Allow
Deadline for feature updates: 15
Deadline for quality updates: 5
Grace period: 3
Auto reboot before deadline: No
Of course, each of these options is how I want it, but you can change them to your needs. Once done, click Next.
On the Assignments tab, you can select what groups to include or exclude. Under Included groups click Add groups. In the sidebar that appears, select the group (or groups) that you want to affect, and then click Select. Back on the Assignments tab, you can either click what groups to exclude, or you can click Next.
On the Review + Create tab, verify that your settings are as you want them, and then click Create.
The policy should only take a couple of seconds to appear in the list on your Devices | Windows 10 update rings page. If it is not there after a few seconds, click Refresh.
Once this is done, the machines (or machines assigned to users) in the assigned groups will start getting patches on this schedule. It is simple as that!
Remember, this is not only Windows 10 patches, but also any other Microsoft products, as well as device drivers. How cool is that?
In a future article, I will talk about the new option for Windows 10 Quality Updates. Unfortunately, that is a new feature that is being rolled out gradually, and which has not hit my demo tenant yet.