This article will describe what to when when Windows Updates are not installing on Intune devices.
Situation:
- Customer coming from SCCM device management & application deployment
- Migrated to Hybrid Joined Intune MDM managed devices
- Updates came through SCCM pointing to WSUS server (location), configured by a GPO
Target:
- Using Software Updates feature in Intune to deploy feature Windows Updates
While working at a customer moving their on-premises devices to Hybrid Joined Intune MDM managed, I came across an issue where the Windows Updates were not installing on the devices and all went ‘Failed’ in the Intune Software Updates dashboard.
As you can see, this is how the symptom looks like on a device:
Troubleshooting wasn’t so hard, as in this project we went from on-premises SCCM managed devices to Hybrid Joined Intune MDM managed devices. They managed their updates with SCCM but pointing to sources on a WSUS server, so they had some GPO’s to configure this. Now the GPO’s were not an issue anymore, as they were not applying on these Hybrid Joined Intune MDM managed devices. But if you want to fix this issue, you’ll have to clean up the Windows Registry settings these GPO’s have set. You can do that with PowerShell offcourse:
function Clear-WsusSettings {
[cmdletbinding(SupportsShouldProcess=$true)]
param ()
$ErrorActionPreference = 'SilentlyContinue'
Remove-ItemProperty 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -Force -Name WUServer
Remove-ItemProperty 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -Force -Name TargetGroup
Remove-ItemProperty 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -Force -Name WUStatusServer
Remove-ItemProperty 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -Force -Name TargetGroupEnable
Set-ItemProperty 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU' -Value 0 -Force -Name UseWUServer
Set-ItemProperty 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU' -Value 0 -Force -Name NoAutoUpdate
Set-ItemProperty 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -Value 0 -force -Name DisableWindowsUpdateAccess
Restart-Service -Name wuauserv
}
After you deploy this PowerShell script with Intune to the Hybrid Joined Intune MDM managed devices, you should see that the registry keys for the WSUS settings are cleaned up and the software updates come through.
PowerShell script settings in Intune:
PowerShell script overview after being deployed to test group:
And after this, you can see that the Windows Updates come through:
Happy testing!
More articles on Intune: