Co-Management – Windows Updates

In this post I am going to walk you through moving the Windows update for business workload from SCCM to Intune and what that actually means. Now this workload in particular can be difficult for people to understand because a lot of the time Windows Updates are managed from an on-premises WSUS server so you aren’t just moving the management of windows updates from SCCM to Intune your actually changing the whole method of update delivery for your clients.

Essentially your clients will start to go to Windows Update directly for Quality and Feature updates (or Peers if you have enabled Delivery Optimization) instead of a local WSUS server. This may put you in a position to be able to remove your WSUS server altogether freeing up the overhead of managing the server or you may decide it is still required for other updates (Dual Scan).

Moving the Workload

  • Open your SCCM Admin Console
  • Click Administration
  • Expand the Cloud Services Folder
  • Choose Co-Management
  • Go to the Properties of your Existing Co-Management configuration

On the workloads tab move the slider for Windows Update Policies from Config Manager over to either Pilot Intune or Intune. I recommend always moving to Pilot Intune first so you can validate the settings with a Pilot Collection before moving to production.


Once the workload has been moved the configuration for Windows Updates will now be managed from Intune.

Creating the Update Policy in Intune


  • Enter a Name
  • Enter a Description
  • Choose Configure


Now you need to configure the settings which will apply. For an overview of servicing channels use the following link:

Update Settings

  • Select a Servicing Channel
    • Semi Annual Channel
    • Semi Annual Channel (Targeted)
    • Windows Insider – Fast
    • Windows Insider – Slow
    • Release Windows Insider
  • Allow/Block Microsoft Product Updates
  • Allow/Block Driver Update
  • Set the Quality Update Deferral Period (0-30 days)
  • Set the Feature Update Deferral Period (0-365 Days)
  • Set the Uninstall period available for Feature Updates (2-60 Days)


User Experience Settings

Configure the rest of the settings to suit the requirements of your business


You will notice the Delivery Optimization section is greyed out, this is because the settings have been moved over to a configuration profile. You can see my post detailing further information on this:

Once you have created the policy you can now assign this just as you would assign any other policy in Intune.


The Client Experience

  • On The Client
  • Navigate to Settings
  • Updates & Security
  • Windows Update
  • Choose “View Configured Update Policies”


Now you will see a lot a new entries which were set by MDM (Intune) so we know the settings have been applied. You will also notice there are other settings which were not set by MDM. Now these settings are your previously configured update settings i.e. WSUS Settings. You can leave this in place which means dual scan is activated and essentially the device will go to Windows Update for Windows Product updates and go to WSUS for any other updates.


OPTIONAL – Removing WSUS Settings to disable Dual Scan

You may decide you no longer want to client to use the SUP/WSUS for any updates I.e you are planning on decommissioning your SUP/WSUS server. If this is the case you will want to disable the settings for WSUS on the client which will disable dual scan.

If you had previously been using SCCM to manage updates then you can disable the settings in the SCCM Console.

  • Go to Administration
  • Go to Client Settings
  • Open the Properties of the relevant Client Setting
  • In the Software Updates Section change the “Enable Software Updates on Clients” setting from Yes to No