Configure Windows Update Notifications in Intune using Graph API

You will be aware that as of 1903, Intune introduced some new functionality to Windows update rings which allow IT admins the ability to supress update notifications and prevent end users manually scanning for Win updates. The bad news? These must be configured via Graph.

Not familiar with Graph? FEAR NOT! Let’s configure together.

There are many ways you can interact with Graph but for this tutorial we will be utilising Graph Explorer. Let’s get started!

The Configuration

First, let’s go ahead and jump on over to Graph Explorer. When you are there click “Sign in with Microsoft” and authenticate with an admin account that has either global admin or Intune service administrator rights, preferably the later.

Link > (https://developer.microsoft.com/en-us/graph/graph-explorer)

image

Great, now that we are signed in we want to filter ‘Device Configurations’ to only show Windows Update Rings. Go ahead and copy the below link and paste it in as the request URL as shown below. Once done let’s click Run Query.

https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations?$filter=isof(%27microsoft.graph.windowsUpdateForBusinessConfiguration%27)

image

Note: if this is the first time you have used Graph Explorer you may receive an initial ‘access is denied’ due to a permissions. Click ‘modify your permissions’ to do just that!

Next Let’s select the specific update policy which we want to apply our new windows update settings to. To do this, copy the ID of the policy and append it to the URL after ‘deviceConfigurations’ and click Run Query.

image

Before: https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations?$filter=isof(%27microsoft.graph.windowsUpdateForBusinessConfiguration%27)

After: https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/83b10e15-db06-4932-8064-e064eb0160ea

Now that we have our policy selected, lets go ahead and patch in the new values for our payloads. We now need pass the new values in the following format:

{

“@odata.context”: “https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations/$entity”,

“@odata.type”: “#microsoft.graph.windowsUpdateForBusinessConfiguration”,

“userWindowsUpdateScanAccess”: “Value”,

“updateNotificationLevel”: “Value”

}

Note: Replacing “Value” with the values of your choice from the tables below.

userWindowsUpdateScanAccess

Setting Value Description
notConfigured 0 Not configured
enabled 1 The user is blocked from scanning for windows updates
disabled 2 The user can scan for updates.

updateNotificationLevel

Setting Value Description
notConfigured 0 Not configured
defaultNotifications 1 Use the default Windows Update notifications.
restartWarningsOnly 2 Turn off all notifications, excluding restart warnings.
disableAllNotifications 3 Turn off all notifications, including restart warnings.

Change your REST method to PATCH and click Run Query.

SNAGHTMLd0139

Providing your syntax is correct Graph Explorer should return a 204 state which indicates that the patch has been successful.

Changing your REST method back to GET should now show the settings we configured with the appropriate keys we patched in.

image

You can additionally confirm locally that the new settings have been applied by checking Windows Updates > View Configured update policies.


image

Stewart McLaughlan

Stewart McLaughlan

Enteprise Mobility + Security SME  - Follow me on Twitter here