Co-Management – Windows Updates

In this post I am going to walk you through moving the Windows update for business workload from SCCM to Intune and what that actually means. Now this workload in particular can be difficult for people to understand because a lot of the time Windows Updates are managed from an on-premises WSUS server so you aren’t just moving the management of windows updates from SCCM to Intune your actually changing the whole method of update delivery for your clients.

Essentially your clients will start to go to Windows Update directly for Quality and Feature updates (or Peers if you have enabled Delivery Optimization) instead of a local WSUS server. This may put you in a position to be able to remove your WSUS server altogether freeing up the overhead of managing the server or you may decide it is still required for other updates (Dual Scan).

Moving the Workload

  • Open your SCCM Admin Console
  • Click Administration
  • Expand the Cloud Services Folder
  • Choose Co-Management
  • Go to the Properties of your Existing Co-Management configuration

On the workloads tab move the slider for Windows Update Policies from Config Manager over to either Pilot Intune or Intune. I recommend always moving to Pilot Intune first so you can validate the settings with a Pilot Collection before moving to production.

image

Once the workload has been moved the configuration for Windows Updates will now be managed from Intune.

Creating the Update Policy in Intune

image

  • Enter a Name
  • Enter a Description
  • Choose Configure

image

Now you need to configure the settings which will apply. For an overview of servicing channels use the following link: https://docs.microsoft.com/en-gb/windows/deployment/update/waas-overview#servicing-channels

Update Settings

  • Select a Servicing Channel
    • Semi Annual Channel
    • Semi Annual Channel (Targeted)
    • Windows Insider – Fast
    • Windows Insider – Slow
    • Release Windows Insider
  • Allow/Block Microsoft Product Updates
  • Allow/Block Driver Update
  • Set the Quality Update Deferral Period (0-30 days)
  • Set the Feature Update Deferral Period (0-365 Days)
  • Set the Uninstall period available for Feature Updates (2-60 Days)

image

User Experience Settings

Configure the rest of the settings to suit the requirements of your business

image

You will notice the Delivery Optimization section is greyed out, this is because the settings have been moved over to a configuration profile. You can see my post detailing further information on this: https://triplesixseven.com/migrate-delivery-optimization-settings-from-update-rings-to-a-configuration-profile-intune/

Once you have created the policy you can now assign this just as you would assign any other policy in Intune.

image

The Client Experience

  • On The Client
  • Navigate to Settings
  • Updates & Security
  • Windows Update
  • Choose “View Configured Update Policies”

image

Now you will see a lot a new entries which were set by MDM (Intune) so we know the settings have been applied. You will also notice there are other settings which were not set by MDM. Now these settings are your previously configured update settings i.e. WSUS Settings. You can leave this in place which means dual scan is activated and essentially the device will go to Windows Update for Windows Product updates and go to WSUS for any other updates.

image

OPTIONAL – Removing WSUS Settings to disable Dual Scan

You may decide you no longer want to client to use the SUP/WSUS for any updates I.e you are planning on decommissioning your SUP/WSUS server. If this is the case you will want to disable the settings for WSUS on the client which will disable dual scan.

If you had previously been using SCCM to manage updates then you can disable the settings in the SCCM Console.

  • Go to Administration
  • Go to Client Settings
  • Open the Properties of the relevant Client Setting
  • In the Software Updates Section change the “Enable Software Updates on Clients” setting from Yes to No

image

Jake Stoker

Jake Stoker

Enteprise Mobility + Security SME