Organizations worldwide are shifting operations and management to the cloud as much as possible. Cloud management provides many tremendous benefits, including always accessible management tools, management of workstations located on any network, and many other great features. Microsoft’s Endpoint Manager, including Intune, the cloud-based endpoint management solution, is increasing in popularity and adding new features and capabilities. Recently, Microsoft announced that feature update profiles and expedited update management in Intune have gone GA. What are these new features, and what do they do?
Cloud-based Remote Monitoring and Management (RMM)
Cloud-based remote monitoring and management solutions are extremely popular with organizations now supporting a predominantly hybrid workforce. Traditional monitoring and management solutions typically rely on “line of sight” network access in an on-premises environment. Legacy solutions may communicate on proprietary ports and have other network requirements.
While these solutions worked fine in the old days when everyone was working in the office, and there was no such thing as cloud environments, these are no longer the best solution for most enterprise organizations with a distributed workforce. Businesses now need agility, flexibility, and no network hoops to jump through to manage their endpoints.
Microsoft Intune allows businesses to manage their endpoints with no special network requirements. Once an endpoint is onboarded into Intune, it can be managed using a standard SSL Internet connection over port 443. So, no network challenges or VPNs are required for endpoints connected to the Internet.
This cloud-based approach allows organizations to empower employees with cloud tools and provides IT admins and helpdesk technicians with the cloud-based tools needed to monitor and manage endpoints.
Feature and expedited update management
The Windows Update for Business deployment service has now added Windows feature updates and expedited quality updates in Microsoft Intune as a general availability release. Let’s look at the following:
- Feature updates
- Expedited quality updates
What are Windows feature updates?
Feature updates from Microsoft contain security and quality revisions in other updates and significant additions to the operating system. Therefore, these feature updates are considered major upgrades to the operating system.
Feature updates for Windows 10 and later policy in Intune
One of the new features included with the feature and expedited update management in Intune is the feature update policy profile. The new feature update profile gives you granular control over feature updates in Intune. For example, you can define which feature updates are deployed to devices in your organization.
It supports setting a feature level to any version in support when creating the policy. These work hand-in-hand with the Update rings for Windows 10 and later policies to keep devices on a specific Windows version without applying new feature updates that are newer than those defined by the policy.
There are a couple of caveats to the versions defined in the policy:
- Devices that run a later version of Windows than what is included in the policy will remain on the current version of Windows. So, they won’t downgrade, etc, when the policy is applied.
- If a particular version of Windows has a safeguard hold, when the client device evaluates the feature updates policy, it will create a temporary safeguard hold if an unresolved known issue exists. Once the issue is resolved, the feature update will be applied.
The policy can be updated as needed to target newer updates. Microsoft has made all the currently supported Windows 10 and 11 versions available for the new feature updates. In addition, it provides rollout options to control when feature updates are made available to client devices.
Note the following options:
- Make update available as soon as possible – As soon as the policy and applied, the update will become available to the clients as soon as possible
- Make update available on a specific date – Admins can also specify a specific date for the update to be made available to client devices. This option allows admins to control which specific date updates begin rolling out so as to control and manage the updates in the organization. This process is much easier than previously needing to calculate the deferral days to get updates to start on a specific day using Windows Update for Business. The policy specifically controls the updates and when they begin.
- Make update available gradually – The gradual rollout option is a great way to automate the rollout of feature updates over time. This option gives admins the ability to provide first group availability and final group availability. They can also set the days between groups.
– Microsoft provided some clarification on what the final group availability actually means. It is not the exact day when the rollout ends. Instead, it is the date when the last group begins to update.
The new feature updates profile allows defining rollout options for feature updates
Advantages of using the new feature updates policy
There are many advantages of the new feature updates policy to note:
- With the feature updates policy, devices won’t install a new windows version until the policy is modified or removed
- It is a better approach than simply pausing the Update ring, as the pause expires after 35 days, meaning admins need to monitor this closely and stay on top of the pause periods
- You can still uninstall the feature update
- You can use the new policy for feature updates to manage the schedule on which you want the feature updates deployed
What are quality updates?
Quality updates are the traditional Windows updates released on the second Tuesday of each month. These updates are the regular Windows updates that include security and driver updates and can include critical updates for Windows.
Expedited quality updates
While admins may need to pause or delay feature updates, there may be quality updates they need to expedite. For example, admins may need to deploy expedited updates to resolve a zero-day vulnerability or urgent quality fix for certain devices having issues with a particular driver.
If updates have been deferred, the expedited updates will override the temporary deferral and install the quality updates as soon as possible. After these have been installed, they restore the normal update settings automatically. It takes much of the heavy lifting from administrators, so they don’t have to worry about micromanaging the settings of quality updates.
To expedite the installation of quality updates, click Devices > Quality updates for Windows 10 and later. It will launch the create quality update profile dialog. You will name the profile here and then configure the settings to install the quality updates.
Note the fields:
- Expedite installation of quality updates if the device OS version is less than – In this dropdown list, admins select the update required to be expedited.
- Number of days to wait before the restart is enforced – This setting configures the number of days before a restart is required. Users can schedule the restart, or the process will follow the default behavior and restart the device outside of normal active hours. ***Note*** if this setting is configured as “0,” the user will only be given a 15-minute warning before the device is restarted.
Create a new quality update profile
When you click the Expedite installation of quality updates if device OS version less than dropdown, you can select the update to expedite.
Select the quality updates to expedite installation
Questions regarding expedited updates
- What happens if the device is already on the latest approved update? It will not be expedited for installation.
- What if the device is on an older update? It will be expedited to the latest approved update.
- What if the device is part of an older policy with an older targeted update? It will still be expedited to the latest approved update configured.
Best practices with feature and quality updates in Intune
Note the following new best practices in managing updates in Microsoft Intune:
- Feature update profiles are preferred over using the update deferrals in update rings. You have better control over the process, and it is more automated.
- You should set feature update deferral to 0 days when using the feature update profiles
- Pausing feature update rings can help while troubleshooting feature update problems
- You can now defer or expedite quality updates – Microsoft recommends to continue using the deferral settings in the update rings to apply monthly updates. However, use the expedited quality updates for specific devices you need to apply updates faster than the normal update ring settings.
The new feature updates profiles and expedited quality updates are new improvements in general availability using Microsoft Intune for managing client devices. The new features give admins even more control when new feature updates and quality updates are applied to client devices. In addition, these provide enhancements over using the pause functionality and deferring updates, as opposed to the profile-based approach. As a result, Microsoft Endpoint Manager with Intune continues to offer robust features and capabilities for organizations managing their hybrid workforce devices that keep improving.
- Enroll devices and manage with Microsoft Intune device management
- Group Policy vs. Microsoft Intune Configuration Profiles and how to migrate