Manage Windows Updates From the Cloud Using Endpoint Manager
Are you a device administrator responsible for updating Windows on dozens, hundreds, or thousands of PCs? Have you used WSUS, Configuration Manager or Intune? In this show, we’ll explain all of the options, along with managing Windows Updates from the cloud using Microsoft Endpoint Manager and how it compares to your options in Configuration Manager and WSUS.
Jason Githens from the Windows Management team at Microsoft joins Jeremy Chapman for a full tour of Microsoft Endpoint Manager’s Windows Update ring, feature update, and quality update policies. These policies add a layer of control on top of Windows Update for Business Group Policy settings and are part of the foundation for Windows Autopatch. We’ll take a look at your options and how to use each of them, along with best practice recommendations.
New options offer a surprising amount of control.
There are a ton of new options to manage Windows updates from the cloud with a surprising amount of control through Endpoint Manager. See how you can make your life easier with each rollout.
Simplicity by design.
Name your feature update policy profile after the Windows Update you want to target. Set a deferral policy for feature updates to align with the dates you want. Schedule around times that are least disruptive. Roll out updates gradually to extend the change management period. See how you can gain better control over Windows updates delivered through Endpoint Manager.
A smarter way to manage updates.
Control how Windows policy updates relate to each other. Manage device settings for remote work environments. Speed up deployment of security fixes. Set grace period for cumulative quality update installs. See how you can create smarter controls for Windows policy updates.
Watch our video here.
► QUICK LINKS:
00:00 Introduction of Windows Update management through Endpoint Manager
00:50 New options to manage Windows updates from the cloud
01:28 Configuration Manager vs. cloud-based update management
02:50 How to set up Configuration Manager using Cloud Attach
5:05 An overview of Windows Update rings
8:03 Create Windows feature and quality updates
► Link Reference: Find the latest information on Windows Update management: aka.ms/ManagementMechanics View an interactive guide for the Cloud Attach process at: aka.ms/CloudAttach
► Unfamiliar with Microsoft Mechanics?
• As the Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMe...
• Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t...
• Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com...
• To get the newest tech for IT in your inbox, subscribe to our newsletter: https://www.getrevue.co/profile/msftm...
► Keep getting this insider knowledge, join us on social:
• Follow us on Twitter: https://twitter.com/MSFTMechanics
• Share knowledge on LinkedIn: https://www.linkedin.com/company/micr...
• Enjoy us on Instagram: https://www.instagram.com/microsoftme...
- Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics
- Coming up we’ll take a closer look at Windows updates and what you can now do from the Endpoint Manager admin center from the cloud to stay in control of how updates are delivered and your granular options for when they get installed. And to walk us through everything, we’re joined once again by Jason Githens from the Windows management team at Microsoft. Welcome back to the show.
- Thanks, happy to be here. Looking forward to this.
- Thanks, Jason. Last time you were on the show we actually covered the evolution of Windows device management and what gets better when you move to the cloud. And if you miss that show, you can check it out at our playlist at aka.ms/ManagementMechanics. As we started looking at update management, at the time you said we could do an entire show on that. So here we are, we’re literally doing just that, an entire show on update management.
- Yeah, I’m really glad we have time to dig in this. It’s a big topic and it’s a fundamental part of Windows manageability. The good news is that there are a lot of new options to manage Windows updates from the cloud. And if you haven’t looked at Windows Update for Business in a while, I think you’ll be surprised about the amount of control there is now through Microsoft Endpoint Manager.
- And today we’re really going to focus in on both Windows quality updates, the ones that are published monthly that deliver security updates as well as bug fixes, as well as Windows feature updates, which deliver new features and are delivered less frequently. And a lot of us are probably using Configuration Manager right now to deliver updates. So for anyone who’s watching and wondering what’s the right time, or is now the right time to move to cloud-based update management, can you describe what some of the differences are?
- If you’re using Configuration Manager now, although there’s granularity and control, it can be a lot to manage and track as you update your Windows devices. And you’re probably running a lot of infrastructure to maintain service levels and uptime. As we talked about in the last show, while most devices today are connected to the internet, as people work more hybrid they’re connecting less frequently to corporate networks. So cloud-based updates makes a lot of sense now, especially if you need to deploy security updates fast and reliably. Plus, a lot of the pain goes away for the processes used to manage updates when moving from on-prem to the cloud, but let me start with the pain and show you how things get better. I have Configuration Manager running here. I’ll go to Configure Site Components, then Software Update Point. In Classifications you can see I have Security Updates selected and that’s pretty common. In the Products tab I need to choose which products I want and even when I get to Windows products there are a ton of products to sift through and approve. And once everything is synchronizing with the update service, you’ll see this long list in all software updates that I need to approve and deploy. So as you can see, there are quite a few hoops to jump through to curate your Windows update service based on your organizational needs.
- And while you can set up automatic rules if you wanted to, using Config Manager, those still need to be created and monitored and maintained just to make sure they’re all working properly.
- Exactly, so let me show you the path to making things easier. Because in cloud, we curate the updates for you, and it’s typically faster to just have these updates delivered directly from the Windows Update Cloud Service following the policies you set in Endpoint Manager. The first thing you’ll need to do is set up co-management for Config Manager using Cloud Attach. And we have an interactive guide that steps you through the process at aka.ms/CloudAttach. In this case, I’ve already configured Cloud Attach. So now I just need to configure it so that Windows update policies are managed via Intune. In my environment I’ll go into its properties. I’ll go to the Workloads tab and you can configure services for different management control categories, either Config Manager or Intune. And then in Windows Update Policies, I can move this slider here to allow Intune to manage Windows updates.
- And what you just did with that slider is going to open up a ton of new possibilities in a new universe for Cloud-based Endpoint Manager update policy options.
- Absolutely, it does. And once you know how these work and how each policy works together, you’ll see there’s a lot of control. In Endpoint Manager’s device settings for Windows, you’ll see three different Windows update policy options. And even though two of them say Preview, these are fully supported and production ready. I’ll create one for each of these in a second. Importantly, all three policy types have an install before date, enforced by a deadline and a short grace period, for when updates need to be finalized. And let me take a moment to explain how this works. If the deferral dates you set for your update ring policy and feature updates or quality updates don’t line up, remember this. For feature updates to minimize disruptions, the policy with the install by date furthest out will win. Whereas for quality updates, to ensure security fixes are installed as soon as possible, the policy with the closest date wins.
- And I think this is going to make a ton more sense once we start to create a policy for each different type. Even though a lot of us might have been focused in on that one for quality updates, of those different three options, its job, really, is just to speed up deployment of security fixes in some cases where your broader update ring policies might be a bit too relaxed for that particular month.
- That’s right, based on how each policy relates to another. We really need to start with an update ring policy, then feature update policy, and end with a quality update policy. The update ring policy has the most options and controls. So let me start by creating a new update ring. I’ll name it Default Update Ring. Here I can choose, if I want, all Microsoft updates, as well as drivers, then these next couple of deferral settings are super important. Think of them like, ‘Pause updates until this number of days after the update is published in Windows Update.’ For quality updates, I can set a deferral period. And this should be based on how much risk you’re willing to take by delaying the update. Typically we see something between 0 and 10 days. Now don’t worry if you set this to 10 days, for example, and there’s a quality update that you need to roll out faster. We’ll get to that option in a minute when we go through the quality update policy options. Now let’s continue with feature update deferral. We recommend setting the deferral here to zero days. I know that might sound scary, but we’ll also come back to this topic in a second when we get to the feature update policy. As I move down this screen, you’ll also see how long we keep the option open to uninstall feature updates when the period expires, which will free up that disc space.
- And this next set of options that are under Update Behavior are another area where controls tend to get a lot smarter if you’re coming from, for example, Config Manager or WSUS. No one likes an unexpected forced reboot. And this next set of settings will actually help with that.
- True, and there are quite a few options, but I’ll point to the best ones for most organizations. First, for automatic update behavior we recommend the reset to default option. This sets up devices to automatically scan each day for updates and uses the built-in Windows intelligent active hours to determine timeframes when people aren’t typically using their device. It also gives each user the opportunity to set the best active hours for themselves so that their device doesn’t restart while they’re working. If you have a case where you need to set specific active hours, use the Auto install and restart at maintenance times, and set the active hours start and end times. Then the last setting we recommend you configure are the deadlines. These are different than the deferrals. We recommend that you allow them. Deadlines of the period of time after the deferral and until the update is installed. And as you probably know, for a cumulative quality update to fully install, Windows needs to reboot. So we also have a grace period for that reboot to occur and how long a user can delay that before it’s enforced. Until then, the end user is notified daily and can specify a reboot time and the system will try to reboot outside of active hours. Most organizations are typically setting the feature update deadline to seven days, the quality update deadline to three days, and a grace period of two days as well. Now to finish out this policy, you can optionally set tags. I’ll skip that. Then I can assign the policy to the right device group. I’ll go ahead and choose all devices. From there I can review and create the policy.
- And if you’re thinking this one policy isn’t currently set up to roll out feature updates over time, now we’re going to actually get to that option with the feature update policy.
- We are, and I only showed how you’d set up your default update ring policy. But you would want to set up other rings. And going back to our feature update deferral of zero days, it probably sounded like a leap of faith, but it’ll make sense in a second. I’m going to create a feature update policy profile. I’ll give it a name: Windows 10 21H2. Here, you can see the name of the feature update we want to target with this policy. I have all the supported feature update options here for Windows 10 and a Windows 11 option, too.
- And I really like that these aren’t the long build or version numbers, just the normal feature update names. As you can see, though, with that policy update, it’s just one feature update per policy. You need to edit that or create a new one to deploy subsequent feature updates.
- That’s by design. Now let’s override that zero days deferral policy we set for feature updates before and push that time out to the date we want. As long as this policy has the same devices in scope and it’s further out in the future than the number of deferral days you set in the update rings policy, it’ll win. To do that, in the rollout options I need to choose an option that specifies an exact date. In our case, our fiscal year ends on June 30 and people are super busy leading up to that day, so I’ll set this to be mid-July as a low-activity date that should be least disruptive. And if you want to roll out your feature update gradually over time to extend the change management period, you can set a first group availability date and a final group availability date. I’ll choose to roll this out over a month with seven days in between groups so everything happens in waves or rings. We will calculate these groups in the back end. Here, either option of course will use delivery optimization so that update files are shared between managed peers on the same local network. And once you’ve configured the deployment settings, the rest of the steps are the same as the update ring I created before.
- Okay, so now it comes down to just that one final update policy for quality updates that we said we’d come back to. Why don’t we explain how you’d use that one?
- The easiest way to think of quality update policies are like break glass policies, to override your normal update ring settings and get security updates delivered as soon as possible, even if it means forcing a reboot on a user during business hours. So I’ll create one now and name it June 2022. This dropdown lets me choose the update level the device needs to have for policy enforcement. You can see it goes back three months. The top option is the most aggressive one, meaning that even devices that received last month’s quality updates will get this one fast. And this is basically setting the deferral period and the deadline of the quality update to zero days in this case. Then you have a restart enforcement, which was our grace period from before. And that can be zero, one, or two days. Typically one day is a good choice, which is why it’s the default. Then to finish off the policy you set tags and group assignments like the others.
- And importantly here, that quality update profile works together with normal update ring policies. So once you configure these policies, how do we make sure, then, that all of your policies get applied, that the devices are compliant and ready to go?
- Sure. You can use compliance reports for that. To do that, first you configure compliance policies so that reporting knows what to look for and you can see I have a few here already. From here I can head over to my reports and find my devices that are out of compliance, meaning if they don’t have a minimum update level, for example. I’ll navigate to the device compliance report. And I can see that most of my devices are up to date with the exception of this device. It looks like it’s running an out-of-date version of Windows 10. So now I can reach out to Adele and troubleshoot what’s going on with their device.
- So we’ve covered a ton of ground today in terms of update management and also your tooling options. So for anyone who’s watching right now looking to learn more or maybe update their updating process, what do you recommend?
- So for using WSUS or Config Manager to manage all of your updates, I’d encourage you to start testing out some of the update policies we showed today. And if you’re on Config Manager, check out aka.ms/CloudAttach to get our interactive guide that walks you through all the steps to connect your on-prem infrastructure to the Cloud.
- Thanks Jason, for joining us today and also sharing all the new info on update management. Of course, keep following our series at aka.ms/ManagementMechanics for more on Windows management and subscribe to Microsoft Mechanics if you haven’t already. And thank you so much for watching.