Windows Update deadline settings in Intune

This article will describe how to setup Windows Update deadline settings in Intune.

Situation:

Customer coming from ConfigMgr device management & application deployment
Migrated to Hybrid Joined Intune MDM managed devices
Before the migration they used ConfigMgr with a WSUS server for their updates (cleaned up the reg keys with a PowerShell script)

Target:

Deliver updates through Intune (MEM)
We want the updates to have no impact on our network bandwidth during business hours
We want the updates to be (mostly) delivered peer-to-peer
We want to give our end-users 5 days to delay the updates. After 5 days they’ll get installed anyway

Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organisation always up to date with the latest security defences and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. Specifically, Windows Update for Business allows for control over update offering and experience to allow for reliability and performance testing on a subset of systems before rolling out updates across the organisation as well as a positive update experience for those within your organisation. More info on Windows Update for Business here.

1. Create a Windows Update Ring in Intune

First I’ll give you some thoughts on my best practices for deploying Windows Updates with Intune. I’ll always recommend to my customers to use 3 Update Rings for best practice, 2 at real minimum. You’ll have a Test update ring, with some dedicated devices that will get the Windows Update immediately, you can use the Windows Insider Program for this in your Update Ring settings. On this Test Ring devices you have all the applications installed that are spread across your organisation, so you can test them when you get a new Feature Update. That way if the tests are good you can speed up the process for deploying the Feature Update.

The second ring is a Pilot Ring, or Acceptation Ring as I like to call it. In here you have mostly the IT devices plus some devices from across every division in your organisation. Once your tests with the Test Ring are complete you can start enrolling in the Pilot Ring and correct or fix the necessary issues as they pop up here. If all goes well in this ring too, you can again speed up the process for deploying the Feature Update for your whole organisation.

The third ring is the Production Ring. In this ring we find all the devices of our organisation. I’ll only show the Production Ring in this blog post, if wanted I can show my whole process in a later blog post.

So, navigate to Devices – Windows 10 Update Rings – and lets create a New Ring

Some settings worth talking about:

Servicing Channel: from Windows version 1903 on, Semi-Annual Channel Targeted (SAC-T) doesn’t exist anymore, so choose the Semi-Annual Channel. (Semi-Annual Channel receives released feature updates twice a year. Feature updates will be made available on this channel once they are ready for broad deployment for consumers as well as enterprise customers. Semi-Annual Channel for 1809 and earlier, and Semi-Annual Channel Targeted) for 1809 and earlier, have been deprecated and are applicable only to 1809 and earlier. Any deployment-deferral settings that had been made by Windows Update for Business users will stay in effect. When Microsoft is confident that the quality is good enough for enterprises, it releases the update to the SAC channel after making it available on the insider rings and newly announced release-preview ring.)
Deferral days: they days you want to delay your roll out of the new Feature / Quality update. In production there will always be a number here, as you don’t want the new Feature updates installing on the first day. As this is my own test tenant, I have no deferral dates set up.
Automatic update behaviour: here you can specify your business hours as you don’t want your Windows Updates interfering during work hours.
Deadline settings: this is a nice feature that was added recently. Here you give your end-users the experience that they get a nice toast notification in where they can choose when to install their updates. You can also set a deadline that they must install their updates within x days. That way you can control the behaviour of always cancelling installing the new Windows Updates.

2. Create a Delivery Optimization profile

Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager (when installation of Express Updates is enabled).

Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet.

You can find more info on Delivery Optimization here.

Navigate to Devices – Configuration Profiles – Create a profile – Choose ‘Windows 10 and later’ – Profile type ‘Delivery Optimization’

Some settings worth talking about:

Download mode: I choose download mode 2 – HTTP Blended with peering across private group, and sub settings subnet mask – AD Site. This means that I allow devices in the same domain or Active Directory site to be peers and share content. That way not everyone is downloading directly from the CDN, and that’s also what we want to achieve. We don’t want our network to get saturated.
Bandwidth optimization: Percentage within business hours. I also don’t want my network to get saturated during business hours, so I specify that here. I only allow a percentage of bandwidth usage during business hours.
Delay background & delay foreground HTTP download: is set to 1 min. This means that for 1 minute the device will look for peers within the network. After the 1 minute has passed it will start downloading from the CDN.
Minimum content file size for peer caching: is set to 10MB, this means that he will start caching files with a minimum of 10MB file size.
Maximum cache age: the maximum retention period for each content item in the cache
Maximum cache size type: percentage, and is set on 10%. This means if the end user his device has a size of 250 GB, it can cache up to 25 GB at maximum.

3. End user’s experience

If there are new Windows Updates available for the end user, this is how they will get notified:

They get a nice toast popup in which they can choose to pick a time for installing the new updates, restart tonight (if they leave their device on offcourse), or restart now. In here our deadline settings also will take effect. So they will get x days they can just ignore the popup. After the deadline is reached, it will install automatically.