diff --git a/.openpublishing.redirection.intune.json b/.openpublishing.redirection.intune.json index 92ace33c2b8..24bff02360e 100644 --- a/.openpublishing.redirection.intune.json +++ b/.openpublishing.redirection.intune.json @@ -1,5 +1,40 @@ { "redirections": [ + { + "source_path": "intune/device-updates/windows/driver-updates-policy.md", + "redirect_url": "/intune/device-updates/windows/driver-update-policy", + "redirect_document_id": false + }, + { + "source_path": "intune/device-updates/windows/quality-updates-policy.md", + "redirect_url": "/intune/device-updates/windows/expedite-policy", + "redirect_document_id": false + }, + { + "source_path": "intune/device-updates/windows/settings.md", + "redirect_url": "/intune/device-updates/windows/update-ring-policy-settings", + "redirect_document_id": false + }, + { + "source_path": "intune/device-updates/windows/expedite-updates.md", + "redirect_url": "/intune/device-updates/windows/quality-updates", + "redirect_document_id": false + }, + { + "source_path": "intune/device-updates/windows/driver-updates-overview.md", + "redirect_url": "/intune/device-updates/windows/driver-updates", + "redirect_document_id": false + }, + { + "source_path": "intune/device-updates/windows/configure.md", + "redirect_url": "/intune/device-updates/windows", + "redirect_document_id": false + }, + { + "source_path": "intune/device-updates/windows/reports.md", + "redirect_url": "/intune/device-updates/windows/feature-updates-reports", + "redirect_document_id": false + }, { "source_path": "intune/intune-service/protect/microsoft-cloud-pki-audit-logs.md", "redirect_url": "/intune/cloud-pki/audit-logs", @@ -92,7 +127,7 @@ }, { "source_path": "intune/intune-service/protect/windows-10-expedite-updates.md", - "redirect_url": "/intune/device-updates/windows/expedite-updates", + "redirect_url": "/intune/device-updates/windows/quality-updates", "redirect_document_id": false }, { @@ -107,17 +142,17 @@ }, { "source_path": "intune/intune-service/protect/windows-driver-updates-overview.md", - "redirect_url": "/intune/device-updates/windows/driver-updates-overview", + "redirect_url": "/intune/device-updates/windows/driver-updates", "redirect_document_id": false }, { "source_path": "intune/intune-service/protect/windows-driver-updates-policy.md", - "redirect_url": "/intune/device-updates/windows/driver-updates-policy", + "redirect_url": "/intune/device-updates/windows/driver-update-policy", "redirect_document_id": false }, { "source_path": "intune/intune-service/protect/windows-quality-update-policy.md", - "redirect_url": "/intune/device-updates/windows/quality-updates-policy", + "redirect_url": "/intune/device-updates/windows/quality-updates", "redirect_document_id": false }, { @@ -127,7 +162,7 @@ }, { "source_path": "intune/intune-service/protect/windows-update-for-business-configure.md", - "redirect_url": "/intune/device-updates/windows/configure", + "redirect_url": "/intune/device-updates/windows", "redirect_document_id": false }, { @@ -142,7 +177,7 @@ }, { "source_path": "intune/intune-service/protect/windows-update-settings.md", - "redirect_url": "/intune/device-updates/windows/settings", + "redirect_url": "/intune/device-updates/windows/update-ring-policy-settings", "redirect_document_id": false }, { @@ -3557,7 +3592,7 @@ }, { "source_path": "intune/intune/protect/windows-10-expedite-updates.md", - "redirect_url": "/intune/intune-service/protect/windows-10-expedite-updates", + "redirect_url": "/intune/device-updates/windows/quality-updates", "redirect_document_id": false }, { @@ -3567,7 +3602,7 @@ }, { "source_path": "intune/intune/protect/windows-10-update-rings.md", - "redirect_url": "/intune/intune-service/protect/windows-10-update-rings", + "redirect_url": "/intune/device-updates/windows/update-rings", "redirect_document_id": false }, { @@ -3577,7 +3612,7 @@ }, { "source_path": "intune/intune/protect/windows-driver-updates-policy.md", - "redirect_url": "/intune/intune-service/protect/windows-driver-updates-policy", + "redirect_url": "/intune/device-updates/windows/driver-update-policy", "redirect_document_id": false }, { diff --git a/16834520-wincom-servicing.png b/16834520-wincom-servicing.png deleted file mode 100644 index 3dcb13f87e1..00000000000 Binary files a/16834520-wincom-servicing.png and /dev/null differ diff --git a/autopilot/includes/intune-connector.md b/autopilot/includes/intune-connector.md index aa5d5af3731..4e6b70c68e1 100644 --- a/autopilot/includes/intune-connector.md +++ b/autopilot/includes/intune-connector.md @@ -225,15 +225,21 @@ This section describes the MSA requirements. Update `ODJConnectorEnrollmentWizard.exe.config`. Its default location is `C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard`. -1. In the **appSettings section** of the file, add the following line: ```` -2. Sign in to the connector. +1. In the **appSettings section** of the file, add the following line: + + ```` + +1. Sign in to the connector. ##### Disable OU updates Using your own MSA will disable the connector from making any OU updates, regardless of any configured in OrganizationalUnitsUsedForOfflineDomainJoin. To prevent errors, disable OU updates by updating `ODJConnectorEnrollmentWizard.exe.config`. Its default location is `C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard`. -1. In the **appSettings section** of the file, add the following line: ```` -2. Sign in to the connector. +1. In the **appSettings section** of the file, add the following line: + + ```` + +1. Sign in to the connector. ### [:::image type="icon" source="/autopilot/images/icons/software-18.svg"::: **Legacy Connector**](#tab/legacy-connector) diff --git a/intune/agents/vulnerability-remediation-agent-use.md b/intune/agents/vulnerability-remediation-agent-use.md index 539de3bab5d..37f1ea49ccd 100644 --- a/intune/agents/vulnerability-remediation-agent-use.md +++ b/intune/agents/vulnerability-remediation-agent-use.md @@ -143,7 +143,7 @@ Remediation guidance falls into the following categories: When a recommendation involves a Windows update, the agent guidance includes details about using [update rings](../device-updates/windows/update-rings.md) to help manage a controlled rollout of the update. > [!IMPORTANT] -> Some suggested Windows update recommendations begin with **Expedite**. The agent uses this format when the CVE's Common Vulnerability Scoring System (CVSS) score reaches a risk value of **9.0** or greater. For this level of risk, the agent recommends expediting these updates to your devices immediately. The guidance includes how to use [Expedited installation of quality updates](../device-updates/windows/expedite-updates.md) to more rapidly deploy the recommended update. +> Some suggested Windows update recommendations begin with **Expedite**. The agent uses this format when the CVE's Common Vulnerability Scoring System (CVSS) score reaches a risk value of **9.0** or greater. For this level of risk, the agent recommends expediting these updates to your devices immediately. The guidance includes how to use [Expedite policies](../device-updates/windows/expedite-policy.md) to more rapidly deploy the recommended update. #### Configuration recommendations diff --git a/intune/configmgr/comanage/faq.yml b/intune/configmgr/comanage/faq.yml index d8e49e4d70d..9a5d8491f2f 100644 --- a/intune/configmgr/comanage/faq.yml +++ b/intune/configmgr/comanage/faq.yml @@ -123,7 +123,7 @@ sections: answer: | You can manage updates for Windows and Microsoft 365 apps with either Configuration Manager or Intune. Configuration Manager provides a very detailed and controlled process for managing these updates and their content, which is important to some customers. A modern approach is to just keep devices up to date, but still control the timing and user experiences. - If you switch the **Windows Update policies** workload to Intune, then it becomes the management authority for Windows quality and feature updates. Use Intune to configure settings for update rings and feature update settings. For more information, see [Manage Windows software updates in Intune](../../device-updates/windows/configure.md). + If you switch the **Windows Update policies** workload to Intune, then it becomes the management authority for Windows quality and feature updates. Use Intune to configure settings for update rings and feature update settings. For more information, see [Manage Windows software updates in Intune](../../device-updates/windows/index.md). If you switch the **Office Click-to-Run apps** workload to Intune, then it becomes the management authority for Microsoft 365 apps and updates. When you create a new Microsoft 365 suite deployment, choose the update channel for your clients will be at. For more information, see the following articles: diff --git a/intune/configmgr/comanage/workloads.md b/intune/configmgr/comanage/workloads.md index aaf3a90f1cc..b5371a6eb5f 100644 --- a/intune/configmgr/comanage/workloads.md +++ b/intune/configmgr/comanage/workloads.md @@ -44,7 +44,7 @@ After moving the Windows Update workload to Intune, the client settings in Confi > [!NOTE] > To use Windows Autopatch with these devices, this workload must be moved to Intune, and client settings for Software Updates set to 'No' in Configuration Manager. For more information, see [Prerequisites for Windows Autopatch](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites). -For more information on the Intune feature, see [Manage Windows software updates in Intune](../../device-updates/windows/configure.md). +For more information on the Intune feature, see [Manage Windows software updates in Intune](../../device-updates/windows/index.md). ## Resource access policies diff --git a/intune/device-updates/android/fota-updates.md b/intune/device-updates/android/fota-updates.md index d3d9708e7eb..836a8a5e11c 100644 --- a/intune/device-updates/android/fota-updates.md +++ b/intune/device-updates/android/fota-updates.md @@ -5,9 +5,6 @@ ms.date: 04/09/2025 ms.topic: how-to ms.reviewer: jieyan ms.subservice: suite -ms.collection: -- M365-identity-device-management -- sub-updates --- # Android FOTA Updates diff --git a/intune/device-updates/android/software-updates-guide.md b/intune/device-updates/android/software-updates-guide.md index 4c293df7dfd..4b1aeb38f4a 100644 --- a/intune/device-updates/android/software-updates-guide.md +++ b/intune/device-updates/android/software-updates-guide.md @@ -4,9 +4,6 @@ description: Guidance and advice for administrators that create and manage softw ms.date: 05/29/2024 ms.topic: how-to ms.reviewer: ahamil, talima, mandia -ms.collection: -- M365-identity-device-management -- sub-updates --- # Software updates planning guide for managed Android Enterprise devices in Microsoft Intune diff --git a/intune/device-updates/android/zebra-lifeguard-ota-integration.md b/intune/device-updates/android/zebra-lifeguard-ota-integration.md index 65f8a4c0d67..4a1121602b0 100644 --- a/intune/device-updates/android/zebra-lifeguard-ota-integration.md +++ b/intune/device-updates/android/zebra-lifeguard-ota-integration.md @@ -5,9 +5,6 @@ ms.date: 08/01/2024 ms.topic: how-to ms.reviewer: jieyan ms.subservice: suite -ms.collection: -- M365-identity-device-management -- sub-updates --- # Zebra LifeGuard Over-the-Air Integration with Microsoft Intune diff --git a/intune/device-updates/apple/index.md b/intune/device-updates/apple/index.md index 4dae5a444b6..df97160a9e9 100644 --- a/intune/device-updates/apple/index.md +++ b/intune/device-updates/apple/index.md @@ -4,9 +4,6 @@ description: Learn how to configure software update policies for Apple devices u ms.date: 10/14/2025 ms.topic: how-to ms.reviewer: beflamm -ms.collection: -- M365-identity-device-management -- sub-updates --- # Configure update policies for Apple devices diff --git a/intune/device-updates/apple/reports.md b/intune/device-updates/apple/reports.md index 92af49ef5dd..63d6894f822 100644 --- a/intune/device-updates/apple/reports.md +++ b/intune/device-updates/apple/reports.md @@ -4,9 +4,6 @@ description: Track Apple device update status in real time with Intune's declara ms.date: 10/14/2025 ms.topic: how-to ms.reviewer: beflamm -ms.collection: -- M365-identity-device-management -- sub-updates --- # Software update reporting for Apple devices diff --git a/intune/device-updates/apple/software-updates-guide-ios-ipados.md b/intune/device-updates/apple/software-updates-guide-ios-ipados.md index c0408c72710..52484f03187 100644 --- a/intune/device-updates/apple/software-updates-guide-ios-ipados.md +++ b/intune/device-updates/apple/software-updates-guide-ios-ipados.md @@ -4,9 +4,6 @@ description: Guidance and advice for administrators that create and manage softw ms.date: 07/24/2025 ms.topic: how-to ms.reviewer: beflamm, ahamil, rogerso -ms.collection: -- M365-identity-device-management -- sub-updates --- # Software updates planning guide and scenarios for supervised iOS/iPadOS devices in Microsoft Intune diff --git a/intune/device-updates/apple/software-updates-guide-macos.md b/intune/device-updates/apple/software-updates-guide-macos.md index 03d2222ef7d..d681fa02615 100644 --- a/intune/device-updates/apple/software-updates-guide-macos.md +++ b/intune/device-updates/apple/software-updates-guide-macos.md @@ -4,9 +4,6 @@ description: Guidance and advice for administrators that create and manage softw ms.date: 07/23/2025 ms.topic: how-to ms.reviewer: beflamm, ahamil, rogerso -ms.collection: -- M365-identity-device-management -- sub-updates --- # Software updates planning guide for managed macOS devices in Microsoft Intune diff --git a/intune/device-updates/apple/software-updates-ios.md b/intune/device-updates/apple/software-updates-ios.md index 0ef9b77df86..deb56f800f5 100644 --- a/intune/device-updates/apple/software-updates-ios.md +++ b/intune/device-updates/apple/software-updates-ios.md @@ -4,9 +4,6 @@ description: Use Microsoft Intune to manage system updates for supervised iOS/iP ms.date: 10/15/2025 ms.topic: how-to ms.reviewer: annovich, beflamm -ms.collection: -- M365-identity-device-management -- sub-updates --- # Manage iOS/iPadOS software updates using MDM-based policies in Microsoft Intune diff --git a/intune/device-updates/apple/software-updates-macos.md b/intune/device-updates/apple/software-updates-macos.md index 6458f5238ac..d2ab339dff8 100644 --- a/intune/device-updates/apple/software-updates-macos.md +++ b/intune/device-updates/apple/software-updates-macos.md @@ -4,9 +4,6 @@ description: Use Microsoft Intune to manage system updates for supervised macOS ms.date: 09/24/2025 ms.topic: how-to ms.reviewer: beflamm -ms.collection: -- M365-identity-device-management -- sub-updates --- # Manage macOS software updates using MDM-based policies in Microsoft Intune diff --git a/intune/device-updates/byod-software-updates-guide.md b/intune/device-updates/byod-software-updates-guide.md index 2e0f67c2d6c..08f31380dcd 100644 --- a/intune/device-updates/byod-software-updates-guide.md +++ b/intune/device-updates/byod-software-updates-guide.md @@ -4,9 +4,6 @@ description: Guidance and advice for administrators that create and manage softw ms.date: 04/07/2025 ms.topic: how-to ms.reviewer: ahamil, talima, mandia -ms.collection: -- M365-identity-device-management -- sub-updates --- # Software updates planning guide for BYOD and personal devices in Microsoft Intune diff --git a/intune/device-updates/windows/compatibility-reports.md b/intune/device-updates/windows/compatibility-reports.md index ba0019ddc13..3d765ef82f6 100644 --- a/intune/device-updates/windows/compatibility-reports.md +++ b/intune/device-updates/windows/compatibility-reports.md @@ -1,19 +1,14 @@ --- -title: Use Windows compatibility reports for Windows updates in Intune +title: Use Compatibility Reports for Windows Updates in Intune description: Use the app and driver compatibility reports for Windows devices before you deploy Intune policies for feature updates or update rings. -ms.date: 11/27/2024 +ms.date: 01/14/2026 ms.topic: how-to ms.reviewer: zadvor -#ms.custom: -ms.collection: -- M365-identity-device-management -- highseo -- sub-updates --- # App and driver compatibility reports for Windows updates -With Intune, you can deploy updates to Windows devices by using policies for [Update rings for Windows 10 and later](update-rings.md) and [Feature updates for Windows 10 and later](feature-updates.md). To help prepare for update deployments, Intune offers integrated reports to help you understand compatibility risks that might affect your devices during or after an update: +With Intune, you can deploy updates to Windows devices with [Windows Update ring policies](update-rings.md) and [feature update policies](feature-updates.md). To help prepare for update deployments, Intune offers integrated reports to help you understand compatibility risks that might affect your devices during or after an update: - **Windows feature update device readiness report** - This report provides per-device information about compatibility risks that are associated with an upgrade or update to a chosen version of Windows. @@ -21,45 +16,6 @@ With Intune, you can deploy updates to Windows devices by using policies for [Up To use these reports, you must first ensure that prerequisites are met and that devices are properly configured for data collection. -## Prerequisites - -### Licensing - -The Windows feature update device readiness and Windows feature update compatibility risks reports require users of enrolled devices to have one of the following licenses: - -- Windows Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) -- Windows Education A3 or A5 (included in Microsoft 365 A3 or A5) -- Windows Virtual Desktop Access (VDA) per user - -Before using these reports, you must attest to having the required licenses on the [Windows data page](../../intune-service/protect/data-enable-windows-data.md#windows-license-verification) of the Intune admin center. - -### Devices - -To be eligible for the Windows feature update device readiness and Windows feature update compatibility risks reports, devices must: - -- Run a supported version of Windows with the latest cumulative update -- Be Microsoft Entra joined or Microsoft Entra hybrid joined -- Be managed by Intune (including co-managed devices) or a supported version of the Configuration Manager client with [tenant attach enabled](../../configmgr/tenant-attach/device-sync-actions.md) -- Have [Windows diagnostic data enabled](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) at the [Required level](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) or higher - - -Additionally, you must set the [Enable features that require Windows diagnostic data in processor configuration](../../intune-service/protect/data-enable-windows-data.md#windows-data) setting in **Tenant administration** > **Connectors and tokens** > **Windows data** to On. - -### Users - -To view these reports, users must be assigned an Intune role with the **Managed devices** > **View reports** permission. This permission is included in the following built-in roles: - -- Endpoint Security Manager -- Read Only Operator -- Help Desk Operator - -In addition, to use the **Windows feature update device readiness report**, users must also have the **Roles** > **Read** permission. This permission is included in the following built-in roles: - -- Endpoint Security Manager -- Read Only Operator -- Help Desk Operator -- Intune Role Administrator - ## Use the Windows feature update device readiness report The **Windows feature update device readiness report** provides a device-level view of compatibility risks associated with an upgrade or update to a chosen version of Windows. diff --git a/intune/device-updates/windows/configure.md b/intune/device-updates/windows/configure.md deleted file mode 100644 index 3ecfb4eae52..00000000000 --- a/intune/device-updates/windows/configure.md +++ /dev/null @@ -1,102 +0,0 @@ ---- -title: Learn about using Windows Update client policies in Microsoft Intune -description: Manage Windows software updates by using Intune policy for Update rings for Windows and Windows feature updates for Windows Update client policies in Microsoft Intune. -ms.date: 02/27/2025 -ms.topic: overview -ms.reviewer: davidmeb; bryanke; davguy -#ms.custom: -ms.collection: -- M365-identity-device-management -- sub-updates ---- - -# Manage Windows software updates in Intune - -Use Microsoft Intune to manage the install of Windows software updates from Windows Update client policies. - -> [!TIP] -> This feature was formerly known as *Windows Update for Business*. - -By using Windows Update client policies, you simplify the update management experience. You don't need to approve individual updates for groups of devices and can manage risk in your environments by configuring an update rollout strategy. With Intune, you can [configure update settings](settings.md) on devices and configure deferral of update installation. You can also prevent devices from installing features from new Windows versions to help keep them stable, while allowing those devices to continue installing updates for quality and security. - -Intune stores only the update policy assignments, not the updates themselves. When you save a policy, Intune passes the configuration details to Windows Update, which then determines which of these updates are offered to each device. Devices access Windows Update directly for the updates. - -Learn more about Windows [*feature* and *quality* updates](/windows/deployment/update/get-started-updates-channels-tools#types-of-updates) in the Windows documentation. - -## Policy types to manage updates - -Intune provides the following policy types to manage updates, which you assign to groups of devices: - -- **Update rings for Windows 10 and later**: This policy is a collection of settings that configures when Windows updates get installed. For more information, see [Update rings policy](update-rings.md). - -- **Feature updates for Windows 10 and later**: The [Feature updates](feature-updates.md) policy updates devices to the Windows version that you specify, and then freezes the feature set version on those devices. This version freeze remains in place until you choose to update them to a later Windows version. While the feature version remains static, devices can continue to install quality and security updates that are available for their feature version. - - You can also use Feature updates policy to [upgrade your devices that run Windows 10 to Windows 11](feature-updates.md#upgrade-devices-to-windows-11). - -- **Quality updates for Windows 10 and later**: With Quality updates for Windows 10 and later, also referred to as Expedited updates, you can expedite the install of the most recent security updates on devices that you manage with Microsoft Intune. Expedited install is accomplished without the need to pause or edit your existing monthly servicing policies. For more information, see [Expedite updates policy](expedite-updates.md). - -- **Driver updates for Windows 10 and later**: With Windows Driver Update Management in Microsoft Intune, you can review, approve for deployment and pause deployments of driver updates for your managed Windows devices. Your policies can automatically install the newest recommended driver for you, or wait for an admin to manually approve drivers before they're installed. Intune and the Windows Autopatch take care of the heavy lifting to identify the applicable driver updates for devices that are assigned a driver updates policy. For more information, see [Driver updates policy](driver-updates-policy.md). - -## Policy limitations for Workplace Joined devices - -Microsoft introduced a cloud service as part of the Windows Update product family, [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview). As a cloud service, Windows Autopatch supports device update capabilities that require a device to have a Microsoft Entra registration (AADJ devices). These capabilities aren't supported with Workplace Join (WPJ) devices. Windows update management on WPJ devices remains supported through core [Windows Update client policies](/windows/deployment/update/waas-manage-updates-wufb) capabilities and the Intune *Update rings for Windows 10 and later* policy type. - -The following Intune policy types for Windows Updates use Windows Autopatch, which prevents their support on WPJ devices: - -- Driver Updates for Windows 10 and later -- Feature Updates for Windows 10 and later -- Quality Updates for Windows 10 and later - -If you support WPJ devices with Intune, the following information can help you understand the differences in capabilities based on policy type, for both WPJ devices and AADJ devices. - -| Capability | Windows Update client policies
via Update Ring policy | Windows Autopatch
via Driver, Feature, and Quality update policies| -|-|-|-| -| **WPJ device support** | Yes | No | -| **AADJ device support** | Yes | Yes | -| **Scan for Updates and Restart schedules** | Yes | Use Update Ring policies to manage schedules | -| **Enforce Update Deadlines** | Yes | Use Update Ring policies to enforce deadlines| -| **Control which updates to install** |***Feature***: Yes
- Defer *all* feature updates by specified days


***Quality***: Yes
- Defer *all* quality updates by specified days

***Drivers***: Yes
- *Allow* or *Block* all *Recommended* drivers
- No support for *Other* drivers | ***Feature***: Yes
- Manage *individual* updates
- Specify *Start Date* or *Gradual Rollout* start and end dates.

***Quality***: Use Update Ring policies



***Drivers***: Yes
- Manage individual *Recommended* and *Other* drivers.

| -| **Pause Updates** | ***Feature***:
- Pause all updates

***Quality***:
- Pause all updates

***Drivers***:
- Block all updates | ***Feature***:
- Pause individual updates

***Quality***:
- Pause individual updates

***Drivers***:
- Pause individual updates | -| **Expedite Quality Update** | No | Yes | -| **Reports - Summary count of devices**:
- Feature updates
- Quality updates | Windows Update for Business reports | Windows Update for Business reports | -| **Reports – Detailed status**:
- Per Update | Windows Update for Business reports | Yes, in Intune | - -## Move from update ring deferrals to feature updates policy - -When using Intune to manage Windows updates, it's possible to use both *update rings* policy with update deferrals, and *feature updates* policy to manage the updates you want to install on devices. If you're using feature updates, we recommend you end use of deferrals as configured in your update rings policy. Combining update ring deferrals with feature updates policy can create complexity that might delay update installations. You can continue to use the user experience settings from update rings, as they don't create issues when combined with feature updates policy. - -While nothing prohibits use of both policy types to control which updates can install on a device, there's typically no advantage to doing so. When both policy types apply to a device, the conditions of both policy types must be met (be true) on the device before it's offered an applicable update. This scenario can lead to updates not installing as expected due to a block by one of the policy types. - -### Plan to transition - -Plan to manage the change from using update ring deferrals to feature updates so that the Windows Update service can be ready to deploy the updates you expect. - -- When Intune policies for Windows updates are created or modified, Intune passes the policy details to Windows Update, which then determines the updates that are applicable for each device that's assigned one or more update policies. - -- The process to evaluate updates for devices can take up to 10 minutes to complete, and in some cases might take a bit longer. - -- If a device starts a scan for updates *after* a deferral has been set to zero or removed for the device, but *before* Windows Update completes the processing of the feature updates policy, that device can be offered an update you didn't plan for it to install. - -Use the following process to ensure Windows Update has processed your feature updates policy before deferrals are removed. - -#### Switch to feature updates policy - -1. In the Microsoft Intune admin center, create a [feature updates policy](feature-updates.md) that configures your desired Windows version, and assign it to applicable devices. - - After the saved policy is assigned to devices, it will take a few minutes for Windows Update to process the policy. - -2. View the [Windows feature updates (Organizational)](reports.md#use-the-windows-10-feature-updates-organizational-report) report for the feature update policy, and verify devices have a state of **OfferReady** before you proceed. Once all devices show **OfferReady**, Windows Update has completed processing the policy. - -3. After devices are verified to be in the **OfferReady** state you can safely reconfigure the [Update ring policy](update-rings.md), for that same set of devices to change the setting **Feature update deferral period (days)** to a value of **0**. - -## Reporting on updates - -To learn about report options for Update rings policy and Windows feature updates policy, see [Windows update reports](reports.md). - -## Next steps - -- [Use Windows update rings](update-rings.md) -- [Use Windows feature updates](feature-updates.md) -- [Expedite quality updates](expedite-updates.md) -- [Use Windows driver updates policy](driver-updates-policy.md) -- For more information, see [Manage updates using Windows Update client policies](/windows/deployment/update/waas-manage-updates-wufb) in the Windows documentation. diff --git a/intune/device-updates/windows/driver-updates-policy.md b/intune/device-updates/windows/driver-update-policy.md similarity index 58% rename from intune/device-updates/windows/driver-updates-policy.md rename to intune/device-updates/windows/driver-update-policy.md index 2c92ebbe316..abd1dab044d 100644 --- a/intune/device-updates/windows/driver-updates-policy.md +++ b/intune/device-updates/windows/driver-update-policy.md @@ -1,56 +1,74 @@ --- -title: Create Windows Driver updates policy in Intune -description: Use Microsoft Intune to manage policies that install Windows driver updates on your Intune managed Windows devices. -ms.date: 04/07/2025 +title: Configure Windows Driver Update Policies +description: Learn how to create, approve, deploy, and pause Windows driver updates using Intune policies to keep Windows devices current and stable. +ms.date: 01/13/2026 ms.topic: how-to ms.reviewer: davguy; davidmeb; bryanke -#ms.custom: -ms.collection: -- M365-identity-device-management -- ContentEnagagementFY24 -- sub-updates --- -# Manage policy for Windows Driver updates with Microsoft Intune +# Configure Windows driver update policies -This article can help you use Microsoft Intune to create and manage Windows Driver updates policies for your Windows devices. These policies let you view the available driver updates for devices targeted by policy, approve updates for deployment, or pause the deployment of individual updates. When driver updates are approved, Intune sends the assignments to Windows Update, which manages the update installation on devices based on the policy configuration. +Use Microsoft Intune to create and manage Windows driver update policies for your devices. These policies let you view available driver updates for targeted devices, approve or pause individual updates, and send assignments to Windows Update, which installs updates based on your configuration. -Before creating and deploying driver update policies, review the Windows driver update prerequisites, plan the deployment, and check the frequently asked questions. These subjects are available in the [Windows Driver updates overview article](driver-updates-overview.md#prerequisites). +## Before you begin -After you create driver update policies, plan to review them regularly for newly added driver updates. *Recommended* driver updates that are added to policies that support automatic approvals start to deploy without any intervention. However, any other new updates added to your policies aren't installed until an admin manually approves them. +> [!div class="checklist"] +> - Ensure your environment meets the requirements in [Windows driver updates overview](driver-updates.md#prerequisites). +> - Policies for Windows update rings and policies that use the settings catalog can include configurations that block the installation of Windows driver updates. To ensure driver updates aren't blocked, review your policies for configurations that can block the installation. +> - Windows update ring policy: Ensure the *Windows driver* setting is set to *Allow*. +> - Settings catalog policy: In the *Windows Update client policies* category, ensure that *Exclude WU Drivers in Quality Update* is set to *Allow Windows Update drivers*. -Applies to: +## Plan for driver updates +Before creating Windows driver update policies, plan how driver and firmware updates will be evaluated, approved, and deployed across your organization. A well‑defined plan helps reduce deployment risk and ensures that updates are reviewed and released in a controlled manner. +When planning your driver update strategy, consider the following areas: -- Windows +- Approval responsibilities: Identify the individuals or teams responsible for reviewing and approving driver and firmware updates. Determine which updates can be approved automatically and which require manual review based on device role, hardware criticality, and organizational risk tolerance. +- Phased deployments: Plan a staged rollout strategy that deploys driver updates to test groups of devices before broader deployment. Phased deployments help surface compatibility or stability issues early and provide time to pause or block updates before they reach additional devices. +- Alignment with update cadences: Consider aligning driver update availability with existing quality and feature update schedules where possible. Coordinating update timing can reduce the frequency of restarts and minimize disruption for end users. +- Policy assignment strategy: Ensure that each device is targeted by only one driver update policy. Assigning a device to multiple driver update policies can result in conflicting approvals or unintended installations. -## Create Windows driver update policies +For general guidance on planning update deployments, see [Create a deployment plan](/windows/deployment/update/create-deployment-plan) in the Windows deployment documentation. + +## Understand driver update approval behavior + +Windows driver update policies let you control which driver updates are allowed to install on managed devices. You can choose between automatic approval of recommended drivers or require manual review for every update. + +### Automatic approval of recommended drivers -Use this procedure to create policies for managing driver updates for groups of devices. +When automatic approval is enabled, the policy automatically approves and deploys each new recommended driver version for devices assigned to the policy. Recommended drivers are typically the latest versions published by the OEM and marked as required. Other available driver versions remain optional and appear as other drivers. -> [!IMPORTANT] -> Policies for Windows update rings and policies that use the settings catalog can include configurations that block the installation of Windows driver updates. To ensure driver updates aren't blocked, review your policies for configurations that can block the installation. -> -> - Windows update ring policy: Ensure the *Windows driver* setting is set to *Allow*. -> - Settings catalog policy: In the *Windows Update client policies* category, ensure that *Exclude WU Drivers in Quality Update* is set to *Allow Windows Update drivers*. -> -> By default, both settings use a configuration that *allow* Windows driver updates. +- When a newer recommended driver becomes available, Intune automatically adds it to the policy and moves the previously recommended version to the other drivers list. Previously approved drivers remain approved. +- If multiple approved versions exist, Windows Update installs only the latest approved version that is newer than the one currently installed. +- When devices are managed by Windows Autopatch, if the latest approved version is paused, Autopatch offers the next most recent approved version to ensure a previously approved, known‑good driver remains available for installation. -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows 10 and later updates** > **Driver updates** tab, and select **Create profile**. +### Manual approval of drivers - :::image type="content" source="./images/driver-updates-policy/view-update-list-1.png" alt-text="A screen capture of the admin center that shows the path to create a profile for Windows Driver Updates." lightbox="./images/driver-updates-policy/view-update-list-1.png"::: +When manual approval is required, administrators must explicitly approve each driver update before it can be deployed. Newly available driver versions are automatically added to the policy but remain inactive until approved. -2. On the **Basics** page, enter the following properties: +- When a new recommended driver becomes available, the policy indicates that drivers are pending review, prompting you to decide whether to approve deployment. + +### Manage approved drivers + +You can edit a driver update policy at any time to manage which drivers are approved. Individual driver updates can be paused to stop deployment to new devices and later reapproved to resume installation. + +Regardless of approval mode, only approved drivers can install, and Windows Update installs only the latest available approved version that is newer than the currently installed driver. + +## Create Windows driver update policies + +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Windows updates** +1. Select the **Driver updates** tab, and select **Create profile**. +1. On the **Basics** page, enter the following properties: - **Name**: Enter a descriptive name for the profile. Name profiles so you can easily identify them later. - **Description**: Enter a description for the profile. This setting is optional but recommended. -3. On **Settings**, configure the approval method for device updates in this policy. Select one of the following options for **Approval method**: +1. On **Settings**, configure the approval method for device updates in this policy. Select one of the following options: - - **Manually approve and deploy driver updates** - With this option, each new driver update that is added to the policy has its status set to *Needs review*. An admin must edit the policy to change the status of each individual update to *Approved* before that update can deploy to applicable devices. + - **Manually approve and deploy driver updates**: With this option, each new driver update that is added to the policy has its status set to *Needs review*. An admin must edit the policy to change the status of each individual update to *Approved* before that update can deploy to applicable devices. When you manually approve an update, you can specify a date on which it becomes available for Windows Update to install on applicable devices. This date is distinct from the deferral period that is required for automatically approved updates in policies that use automatic approvals. - - **Automatically approve all recommended driver updates** – With this option, all new *recommended* driver updates that are added to the policy are added with a status of *Approved* and begin to install on applicable devices without having to be reviewed or approved by an admin. + - **Automatically approve all recommended driver updates**: With this option, all new *recommended* driver updates that are added to the policy are added with a status of *Approved* and begin to install on applicable devices without having to be reviewed or approved by an admin. Use an automatic approval policy when you want to ensure the drivers on your devices remain current with an OEMs latest recommended update. @@ -58,21 +76,20 @@ Use this procedure to create policies for managing driver updates for groups of When you set a policy for automatic approvals, you must configure the following setting that creates a deferral period for the automatically approved updates: - - **Make updates available after (days)** – This setting is a deferral period that delays when Windows Update begins to deploy and install the new recommended update that was automatically added to the policy with a status of *Approved*. The delay supports from zero to 30 days and starts from the day the update is added to the policy, not from the date the update was made available or published by the OEM. The deferral is intended to provide you with time to identify and if necessary, pause deployment of the new recommended update. + - **Make updates available after (days)**: This setting is a deferral period that delays when Windows Update begins to deploy and install the new recommended update that was automatically added to the policy with a status of *Approved*. The delay supports from zero to 30 days and starts from the day the update is added to the policy, not from the date the update was made available or published by the OEM. The deferral is intended to provide you with time to identify and if necessary, pause deployment of the new recommended update. For example, consider a driver update policy that uses automatic approvals and has a deferral of three days. On June 1, Windows Autopatch identifies a new recommended driver update that applies to devices with this policy and adds the update to the policy as approved. Due to the deferral period of three days, Windows Update waits to offer this update to any device until June 4, three days after it was added to the policy. If the deferral was set to zero days, Windows Update would begin installing the update on devices immediately. > [!TIP] > After a policy is created, you won't be able to edit the policy to change the approval type. If the approval type is automatic, you can edit the value for *Make updates available after (days)*. -4. For **Scope tags**, select any desired scope tags to apply. - -5. For **Assignments**, select the groups that receive the policy. For more information on assigning profiles, see [Assign user and device profiles](../../intune-service/configuration/device-profile-assign.md). Devices must be assigned to this policy and the policy saved before Windows Autopatch can identify the applicable driver updates to add to this policies driver list. +1. On **Scope tags**, select any desired scope tags to apply. +1. On **Assignments**, select the groups that receive the policy. For more information on assigning profiles, see [Assign user and device profiles](../../intune-service/configuration/device-profile-assign.md). Devices must be assigned to this policy and the policy saved before Windows Autopatch can identify the applicable driver updates to add to this policies driver list. > [!TIP] > We recommend that a device be assigned a single policy for driver update policies. Assignment of a device to only one policy helps to prevent the installation of a driver update that is declined in one policy but approved in a second policy. Keep in mind that policies for Windows driver updates don't support options to remove or roll-back driver updates. -6. For **Review + create**, review the policy configuration, and then select **Create**. When you select *Create*, your changes are saved, and the profile is assigned. The profile is also shown in the policy list. +1. On **Review + create**, review the policy configuration, and then select **Create**. When you select *Create*, your changes are saved, and the profile is assigned. The profile is also shown in the policy list. ## Manage and maintain driver update policies @@ -102,13 +119,15 @@ When you review the list of driver update policies in the admin center, you can > [!NOTE] > An exception is new *recommended driver* updates that are added to a policy set for automatic approval. Recommended driver updates that are the newest or latest are added to the policy and approved automatically, and their status is never set to *Needs review*. -To look for policies that have new driver updates pending a review, in the admin center go to **Devices** > **Manage updates** > **Windows 10 and later updates** > **Driver Updates** tab. +To look for policies that have new driver updates pending a review: -In the list of Windows driver update policies, review the **Drivers to review** column for entries that indicate there are new updates that have been added to the policy that you might want to review and approve for deployment. In the following screen capture of the *Driver updates* page, two policies have new driver updates. One displays *1 to review* while another displays that it has *3 to review*: +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Windows updates** +1. Select the **Driver updates** tab +1. In the list of Windows driver update policies, review the **Drivers to review** column for entries that indicate there are new updates that have been added to the policy that you might want to review and approve for deployment. In the following screen capture of the *Driver updates* page, two policies have new driver updates. One displays *1 to review* while another displays that it has *3 to review*: -:::image type="content" source="./images/driver-updates-policy/drivers-to-review.png" alt-text="A screen capture that shows policies that have new drivers to review." lightbox="./images/driver-updates-policy/drivers-to-review.png"::: + :::image type="content" source="./images/driver-update-policy/drivers-to-review.png" alt-text="A screen capture that shows policies that have new drivers to review." lightbox="./images/driver-update-policy/drivers-to-review.png"::: -The two policies that have new driver updates won't deploy those new updates until an admin explicitly approves them. You can also review the other policies that haven't received new updates should you seek to modify the approved updates for those policies. + The two policies that have new driver updates won't deploy those new updates until an admin explicitly approves them. You can also review the other policies that haven't received new updates should you seek to modify the approved updates for those policies. Policies continue to display a count of new updates until each update has been *approved* or *declined*. After all the current updates are managed, the count drops to zero (0) until new updates are identified and added to the policy. @@ -126,11 +145,11 @@ You can use the *driver list* to review the driver updates that Windows Autopatc The driver list is divided into two tabs: -- **Recommended drivers** – Recommended drivers are the best match for the 'required' driver updates that Windows Update can identify for a device. To be a recommended update, the OEM or driver publisher must mark the update as *required* and the update must be the most recent update version marked as required. These updates are the same ones available through Windows Update and are almost always the most current update version for a driver. +- **Recommended drivers**: Recommended drivers are the best match for the 'required' driver updates that Windows Update can identify for a device. To be a recommended update, the OEM or driver publisher must mark the update as *required* and the update must be the most recent update version marked as required. These updates are the same ones available through Windows Update and are almost always the most current update version for a driver. When an OEM releases a newer update version that qualifies to be the new recommended driver, it replaces the previous update as the recommended driver update. If the older update version is still applicable to a device in the policy, it's moved to the *Other drivers* tab. If the older version was previously approved, it remains approved. -- **Other drivers** – Other driver updates are updates that are available from the original equipment manufacturer (OEM) aside from the current recommended driver update. These updates remain in a policy as long as they're newer than the driver version that's installed on at least one device with the policy. +- **Other drivers**: Other driver updates are updates that are available from the original equipment manufacturer (OEM) aside from the current recommended driver update. These updates remain in a policy as long as they're newer than the driver version that's installed on at least one device with the policy. These updates can include: - A previously recommended update was superseded by a newer update version @@ -144,22 +163,22 @@ The driver list is divided into two tabs: In the following screen capture, we've opened the policy named*Test Manual* and selected the **Recommended drivers** tab: -:::image type="content" source="./images/driver-updates-policy/recommended-drivers.png " alt-text="A screen capture that shows the recommended drivers tab of a policy." lightbox="./images/driver-updates-policy/recommended-drivers.png"::: +:::image type="content" source="./images/driver-update-policy/recommended-drivers.png " alt-text="A screen capture that shows the recommended drivers tab of a policy." lightbox="./images/driver-update-policy/recommended-drivers.png"::: This policy requires manual approval, and currently has three driver updates that are pending review. For comparison, the following screen capture shows the contents of the *Other drivers* tab for this same policy. -:::image type="content" source="./images/driver-updates-policy/other-drivers.png " alt-text="A screen capture that shows the other drivers tab of a policy." lightbox="./images/driver-updates-policy/other-drivers.png"::: +:::image type="content" source="./images/driver-update-policy/other-drivers.png " alt-text="A screen capture that shows the other drivers tab of a policy." lightbox="./images/driver-update-policy/other-drivers.png"::: Each driver list displays the following details for updates in the policy. Most of the following details are based on information obtained from the driver update from the OEM or driver manufacturer: -- **Driver name** – The driver update name. It's not uncommon for subsequent versions of an update from an OEM or manufacturer to have identical names. Use the update *Version* and *Release date* to differentiate between update instances. -- **Version** - The update version as provided by the OEM or manufacturer. -- **Manufacturer** – The manufacturer of the driver update. -- **Driver class** - The driver class is determined from the details authored by the driver publisher, and usually represents the drivers hardware class. This information isn't always easily determined or consistent across updates from different OEM sources or manufacturers. When a driver's class can't be identified, it's assigned to the *Other* hardware class. -- **Release date** – The date the OEM made this driver update available. -- **Status** – The current status of the driver update in this policy. You can modify the status for individual updates by selecting the name of the driver update from the list. There are four status options available for updates: +- **Driver name**: The driver update name. It's not uncommon for subsequent versions of an update from an OEM or manufacturer to have identical names. Use the update *Version* and *Release date* to differentiate between update instances. +- **Version**: The update version as provided by the OEM or manufacturer. +- **Manufacturer**: The manufacturer of the driver update. +- **Driver class**: The driver class is determined from the details authored by the driver publisher, and usually represents the drivers hardware class. This information isn't always easily determined or consistent across updates from different OEM sources or manufacturers. When a driver's class can't be identified, it's assigned to the *Other* hardware class. +- **Release date**: The date the OEM made this driver update available. +- **Status**: The current status of the driver update in this policy. You can modify the status for individual updates by selecting the name of the driver update from the list. There are four status options available for updates: - **Needs review** - **Approved** @@ -168,7 +187,7 @@ Each driver list displays the following details for updates in the policy. Most For more information about these four status types and how to manage them in a policy, see [Manage the status of updates](#manage-the-status-of-driver-updates) in this article. -- **Applicable devices** – This number indicates how many devices can install a certain version of an update. The same device can be reported for multiple versions of a driver update from both the *Recommended drivers* and *Other drivers* tabs. Devices report multiple times when there's more than one newer version available for a driver that is still being used by the device. +- **Applicable devices**: This number indicates how many devices can install a certain version of an update. The same device can be reported for multiple versions of a driver update from both the *Recommended drivers* and *Other drivers* tabs. Devices report multiple times when there's more than one newer version available for a driver that is still being used by the device. ### Manage the status of driver updates @@ -178,14 +197,14 @@ While viewing a policy [driver list](#identify-policies-with-newly-added-driver- Select the update from the driver list to open its *Manage driver* pane. In the following screen capture, we've selected the first driver update. That driver's *Manage driver* pane is open on the right side. -:::image type="content" source="./images/driver-updates-policy/manage-driver-pane.png" alt-text="A screen capture that shows the Manage driver pane." lightbox="./images/driver-updates-policy/manage-driver-pane.png"::: +:::image type="content" source="./images/driver-update-policy/manage-driver-pane.png" alt-text="A screen capture that shows the Manage driver pane." lightbox="./images/driver-update-policy/manage-driver-pane.png"::: On the *Manage driver* pane, you can: 1. Confirm the name of the driver update. -2. View the update's status. The update in the screen capture has a status of *Needs review*. -3. View a count of devices that have installed this update version. Because this driver update version isn't yet approved and hasn't been installed on devices, this count displays *N/A* for *Not applicable*. -4. Select the dropdown box for *Actions* where you can choose an action to change the update's status. The options for a new driver update include *Declined* and *Approve*. +1. View the update's status. The update in the screen capture has a status of *Needs review*. +1. View a count of devices that have installed this update version. Because this driver update version isn't yet approved and hasn't been installed on devices, this count displays *N/A* for *Not applicable*. +1. Select the dropdown box for *Actions* where you can choose an action to change the update's status. The options for a new driver update include *Declined* and *Approve*. **The following are rules for managing the status of a driver update**: @@ -246,22 +265,23 @@ Bulk driver updates allow the user to approve, pause, or decline multiple driver #### How to use bulk driver updates -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows 10 and later updates** > **Driver updates** tab, and select an existing policy. If you need to create a new policy, see [Create Windows driver update policies](#create-windows-driver-update-policies). -2. In the Driver Updates page, select **Bulk actions**. +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Windows updates** +1. Select the **Driver updates** tab, and select an existing policy. If you need to create a new policy, see [Create Windows driver update policies](#create-windows-driver-update-policies). +1. In the Driver Updates page, select **Bulk actions**. - :::image type="content" source="./images/driver-updates-policy/bulk-actions.png" alt-text="A screen capture that shows the bulk actions button." lightbox="./images/driver-updates-policy/bulk-actions.png"::: + :::image type="content" source="./images/driver-update-policy/bulk-actions.png" alt-text="A screen capture that shows the bulk actions button." lightbox="./images/driver-update-policy/bulk-actions.png"::: -3. In the **Select action** tab, select one of the actions from the **Driver actions** drop-down list; *Approve*, *Pause* or *Decline* multiple drivers. -4. If you select an action that needs further information, for example, if you select *Approve*, then you also need to select the start date using **Make available in Windows update**. Select **Next**. -5. In the **Select drivers** tab, use **Select drivers to include** to see and select the available drivers. The **Select available drivers** fly-out appears. +1. In the **Select action** tab, select one of the actions from the **Driver actions** drop-down list; *Approve*, *Pause* or *Decline* multiple drivers. +1. If you select an action that needs further information, for example, if you select *Approve*, then you also need to select the start date using **Make available in Windows update**. Select **Next**. +1. In the **Select drivers** tab, use **Select drivers to include** to see and select the available drivers. The **Select available drivers** fly-out appears. The displayed list includes drivers that are able to be approved. For example, drivers that have a status of *Paused* or *Needs Review*. This is because you can (re)approve drivers that are *Paused* or have status as *Needs Review*. Drivers that are already approved are filtered out. -6. In the **Select available drivers** fly-out you can also bulk select the drivers. +1. In the **Select available drivers** fly-out you can also bulk select the drivers. > [!NOTE] > You can only select up to 100 drivers at a time. If you select more than a 100 and select **Save**, an error message is displayed. -7. Select **Save** and then **Next**. -8. In the **Review +Save** tab, you can review and save the changes you made. +1. Select **Save** and then **Next**. +1. In the **Review +Save** tab, you can review and save the changes you made. > [!NOTE] > You can't mix actions. For example, you can't *Pause* and *Approve* a set in one action. You must go through each action separately. @@ -270,7 +290,15 @@ The displayed list includes drivers that are able to be approved. For example, d The bulk driver updates can help the user to manage the driver updates more efficiently and conveniently. For example, the user can approve all the drivers together before a regular monthly security release and schedule them to start on that day. +## Review and approve new driver updates + +After you create driver update policies, plan to review them regularly for newly added driver updates. *Recommended* driver updates that are added to policies that support automatic approvals start to deploy without any intervention. However, any other new updates added to your policies aren't installed until an admin manually approves them. + ## Next steps -- Use [Windows driver update overview](driver-updates-overview.md) -- Use [Windows driver update reports](reports.md#reports-for-windows-driver-updates-policy) \ No newline at end of file +- [Manage Windows driver updates](driver-updates.md) +- [Reports for Windows driver update policies](driver-updates-reports.md) + + + +[INT-AC]: https://go.microsoft.com/fwlink/?linkid=2109431 \ No newline at end of file diff --git a/intune/device-updates/windows/driver-updates-faq.yml b/intune/device-updates/windows/driver-updates-faq.yml new file mode 100644 index 00000000000..85464044ad3 --- /dev/null +++ b/intune/device-updates/windows/driver-updates-faq.yml @@ -0,0 +1,150 @@ +### YamlMime:FAQ +metadata: + title: Frequently Asked Questions About Windows Driver Update Policies + description: This article provides answers to some frequently asked questions about Windows Driver Update Policies. + ms.date: 01/06/2026 + ms.topic: faq + +title: | + Windows Driver Update Policies FAQs +summary: | + This article addresses frequently asked questions about Windows driver update policies in Microsoft Intune. + +sections: + - name: Policy basics + questions: + - question: What drivers are available to be managed? + answer: | + Any driver updates that are currently published to Windows Update and applicable to one or more devices in the policy are available through driver update policies. + - question: Where can I learn more about the available drivers? + answer: | + You can get more information about drivers by copying the name and searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com) website. + - question: Do driver update policies update drivers for plug-in devices? + answer: | + Yes, if the driver updates are published to Windows Update by the OEM vendor. + - question: Which driver updates can users see? + answer: | + After a device is assigned to a driver update policy, optional drivers aren't shown to the user. When the admin approves a driver update, it effectively becomes *required* and installs the next time the device scans for updates. + + - name: Policy configuration + questions: + - question: Do policies for driver updates support assignment filters? + answer: | + No. Driver Updates aren't currently supported with assignment filters. + - question: Can I manage a device through multiple driver update policies? + answer: | + While the use of multiple policies per device is supported, we don't recommend doing so. Instead, we recommend adding devices to a single policy to avoid confusion about whether a driver for a device is or isn't approved. + + Consider a device that receives driver updates from two policies. In one policy, a specific update is approved and in the other policy, that update is paused. Because the status of *approved* always wins, the driver installs on the device despite any other status for that update that is set in any other policy. + - question: Is there a way to set a deadline for drivers? + answer: | + The Quality Update deadline and grace period settings apply to drivers. + + Here are some more details on when deadlines are applied to drivers: + + - A driver is approved to be made available (manually or automatically) on a date. This is shown as the First Deployment. + - On first or initial scan the approved driver is offered to the device. The date the client's update scan initially discovered the update is also the start date and time for the deadline. + - The deadline calculation for both quality and feature updates is based off the time the client's update scan initially discovered the update. See [Enforcing compliance deadlines for updates](/windows/deployment/update/wufb-compliancedeadlines) + - question: How do I set deferrals for drivers? + answer: | + The deferral period set for Quality Updates within the update ring policy does not apply to drivers that are approved using the Driver Update Policy. Instead, use the deferral setting in the Driver policy to set a deferral. In fact, using multiple driver policies with different deferral settings to create driver deployment rings is highly recommended. Remember to only assign a device to one driver policy. + > [!NOTE] + > The deferral period only applies to automatically approved driver and firmware updates. An admin must specify the date to start offering a driver with any manual approval. + + - question: Are the user experience settings from an Update Ring policy applied for driver updates? + answer: | + Yes, user experience settings such as automatic update behavior, active hours, notifications, and so on, are applied for driver updates as well. + + - name: Deployment scenarios + questions: + - question: Can I apply driver update policies during Windows Autopilot? + answer: | + No. Driver updates aren't supported during Windows Autopilot at this time. + > [!NOTE] + > Windows applies critical updates during Windows Autopilot. These updates may include critical driver updates that have not yet been approved by an admin. + - question: How do I use driver management if I'm currently using Configuration Manager for updates? + answer: | + You can continue to use Configuration Manager for updates other than Drivers, or start to move other update types to cloud management in Intune one at a time. To do this, first, enable [cloud attach](../../configmgr/cloud-attach/overview.md) or co-management in your Configuration Manager hierarchy to enroll your managed devices in Intune. + + The recommended and preferred path to embrace cloud based updates is to move the [Windows Update](../../configmgr/comanage/workloads.md#windows-update-policies) workload to Intune. If your organization isn't ready for this, you can use the Driver and Firmware management capability in Intune without moving the workload by completing the following steps: + + > [!NOTE] + > The following procedure is supported for Windows 11 devices. For Windows 10 devices, we recommend moving the Windows Update workload in the Configuration Manager co-management settings to Intune. Alternatively, configure the Windows Update workload to the Pilot setting and specify a collection containing the in-scope Windows 10 managed devices. + + 1. Leave the [Windows Update](../../configmgr/comanage/workloads.md#windows-update-policies) workload set to Configuration Manager. + 2. Configure your driver policies in Intune to enroll devices and get them ready for management as detailed at [Manage policy for Windows Driver updates with Microsoft Intune](driver-update-policy.md). + 3. Configure a domain-based group policy to configure **Windows Update** as the source for **Driver Updates** using the [Specify source for specific classes of Windows Updates policy](/windows/deployment/update/wufb-wsus). + > [!NOTE] + > Because Configuration Manager uses a local group policy to configure the update source policy, using Intune or a CSP to attempt to configure these same settings result in an undefined and unpredictable device state. + 4. Enable [data collection](driver-updates.md#prerequisites) in Intune for devices that you wish to deploy drivers and firmware to. + 5. [Optional] Enforce allowing diagnostic data submission using a policy. Diagnostic data submission to Microsoft enables the use of [Windows Update reports for Microsoft Intune](driver-updates-reports.md). + > [!NOTE] + > By default, diagnostic data submission to Microsoft is allowed on Windows devices. Disabling diagnostic data collection prevents the use of Windows Update reports for Microsoft Intune from reporting any update information for your managed devices. + + Configure the **Allow Diagnostic data** setting to **Optional** or **Required** using a domain-based group policy or Intune. For more information on how to complete this task, go to: + + - [Use Group Policy to manage diagnostic data collection](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#use-group-policy-to-manage-diagnostic-data-collection) + + - [Use MDM to manage diagnostic data collection](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#use-mdm-to-manage-diagnostic-data-collection) + + 6. [Optional] Enable device name collection in diagnostic data. For more information on configuration using a domain-based group policy or Intune, see [Diagnostic data requirements](/windows/deployment/update/wufb-reports-prerequisites#diagnostic-data-requirements). + + > [!NOTE] + > Using Intune to configure any of the diagnostic data settings mentioned earlier requires that you move the [Device Configuration](../../configmgr/comanage/workloads.md#device-configuration) co-management workload to Intune. + + You can move Feature update management to the cloud in Intune by configuring a [Feature update](feature-updates.md) policy in Intune and setting the **Feature Updates** setting to **Windows Update** using the [Specify source for specific classes of Windows Updates policy](/windows/deployment/update/wufb-wsus) group policy. + + Using Update Ring policies in Intune for Quality or Feature Updates requires you to move the **Windows Update** workload to Intune. + + - question: What is the Windows Autopatch synchronization frequency? + answer: | + Intune to Windows Autopatch syncs run each day, and you can use the *Sync* option to run a synchronization on demand. The time to complete a synchronization depends on the device information involved but should usually take only a few minutes to complete. + + Devices sync with the Windows Autopatch service each day when the device runs a Windows Update scan. + + - name: Update behavior and troubleshooting + questions: + - question: How can I reduce reboots on devices that receive driver updates? + answer: | + Because it's not always clear in advance when an OEM releases a new update, or if that update requires a reboot, consider a regular pattern of update reviews. + + - For policies with manual approval, when you approve drivers and set an *approval available date*, you can set that date to an event like the monthly Patch Tuesday, or any other time of your choosing. + - For policies with automatic approval, you could pause a newly added and then return to approve it. When you reapprove any paused update, you can set an *approval available date*. + + To help mitigate this type of recurring challenge, we're evaluating changes that can mitigate the need to manually coordinate driver updates with *Patch Tuesday* updates. + - question: Why has a driver disappeared from the list of available drivers in my policy? + answer: | + - When an OEM replaces a driver with a new recommended driver, the older driver can be moved to the *Other drivers* category. However, if that older driver is the same version or older than the drivers in use by all devices, that driver is entirely removed from the policy as there are no devices that can install it through driver update policies. + - question: How do I remove older drivers from the driver list of my policies? + answer: | + To ensure that the list of available drivers is up-to-date, drivers with older versions than those already installed across all devices targeted by a policy are no longer applicable. These older drivers are removed from the driver list of previously deployed and active policies. Only drivers that can update the driver version currently installed on a device targeted by a policy remain available in the policy. + + Installing drivers with older versions than those already present on a device isn't possible through driver update management. + - question: Why does it take up to 24 hours for the driver update inventory to be returned? + answer: | + To make driver inventory available, there are several steps that must be completed. The most important is that after the policy is submitted and devices are enrolled for management, Windows Updates must wait for each device to do its daily scan for updates. This process occurs daily, so it can take up to 24 hours for all healthy devices to check in. After this, Intune needs to process the results of the scan to provide the inventory of available driver updates. + - question: How quickly are paused updates actually paused? + answer: | + Pause is a best effort, and when an update is paused, Windows Autopatch removes the approval. However, devices won't know that an update is paused until it's next scan for updates. + - If a device hasn't yet scanned for the update, then the paused update isn't offered, and *Pause* works as expected. + - If a device scans for updates and discovers an update is paused and that the device is in the process of downloading, installing, or waiting to restart, then Windows Update on the device attempts a "best effort" to remove that driver update from being installed. If it can't halt the installation, the update completes its installation. + - If an update completes its installation before the next scan for updates, nothing happens, and the update remains installed. + - question: Why do my devices have driver updates installed that didn't pass through an updates policy? + answer: | + These are likely *extension* drivers, which are "sub drivers" that a main driver can reference to be installed when the main driver is installed or updated. Extension drivers show up in the installed drivers or update history on the device, but aren't directly manageable. Because extension drivers don't function without base drivers, it's safe to allow them to install. + + Plug and Play can also install drivers automatically. When Windows detects new hardware or software (such as a mouse, keyboard, or webcam) without an existing driver, it installs the latest driver to ensure the component functions immediately. After the initial installation, any future updates to these drivers will require approval. + - name: Special cases + questions: + - question: Can I use policy to roll back a driver update? + answer: | + - No. Windows Update client policies don't currently support driver rollback. While rollback could be scripted, there are too many potential variables to provide a useful sample script for doing so. If you must remove a driver, consider manual methods like PowerShell. + To help avoid issues that require rolling back a driver from large numbers of devices, use *deployment rings* to limit driver installation to small initial groups of devices. This approach allows time to evaluate the success or compatibility of a driver before broadly deploying it across your organization. + - For policies with manual approvals, you must review and manually approve each driver before it can deploy to devices. While more work than policies with automatic approvals, manual approval can help avoid issues with automatically approved drivers. + - If you use policies with automatic approval, plan to monitor the policy for early signs of problems. If a driver update problem is identified in an early deployment ring, you can then pause that same update in your other policies. + - question: What about drivers that update a BIOS that is password locked. How does this work? + answer: | + Updates that are published to Windows Update have a requirement to use a Windows mechanism that enables securely updating the firmware or driver without requiring the BIOS/UEFI to be unlocked. + - question: If a vendor has their own app for scanning and installing driver and firmware updates, is there a delay in update availability between their app and Windows Autopatch? + answer: | + The possibility of a delay depends on the vendor or OEM who determines the availability of their updates. Because driver updates are digitally signed by the same portal before they're published to Windows Updates, driver updates might become available through Windows Update before they become available via the vendors tools. diff --git a/intune/device-updates/windows/driver-updates-overview.md b/intune/device-updates/windows/driver-updates-overview.md deleted file mode 100644 index c1da7e78194..00000000000 --- a/intune/device-updates/windows/driver-updates-overview.md +++ /dev/null @@ -1,322 +0,0 @@ ---- -title: Learn about Windows Driver updates policy for Windows devices in Intune -description: Learn about using Microsoft Intune policy to manage Windows driver updates. -ms.date: 09/10/2024 -ms.topic: how-to -ms.reviewer: davguy; davidmeb; bryanke -#ms.custom: -ms.collection: -- M365-identity-device-management -- ContentEnagagementFY24 -- sub-updates ---- - -# Windows Driver update management in Microsoft Intune - -With Windows Driver Update Management in Microsoft Intune, you can review, approve for deployment and pause deployments of driver updates for your managed Windows devices. Intune and the Windows Autopatch take care of the heavy lifting to identify the applicable driver updates for devices that are assigned a driver updates policy. Intune and Windows Autopatch sort updates by categories that help you easily identify the recommended driver updates for all devices, or updates that might be considered optional for more limited use. - -Using Windows driver update policies, you remain in control of which driver updates can install on your devices. You can: - -- **Enable automatic approvals of recommended driver updates**. Policies set for automatic approval automatically approve and deploy each new driver update version that is considered a *recommended driver* for the devices assigned to the policy. Recommended drivers are typically the latest driver update published by the driver publisher that the publisher has marked as *required*. Drivers that aren't identified as the current recommended driver are also available as *other drivers*, which can be considered to be optional driver updates. - - Later, when a newer driver update from the OEM is released and identified as the current *recommended* driver update, Intune automatically adds it to the policy and moves the previously recommended driver to the list of other drivers. - - > [!TIP] - > An approved recommended driver update that is moved to the *other drivers* list due to a newer recommended driver update becoming available, remains approved. When a newer recommended and approved driver update is available, Windows Autopatch installs only that latest approved version. If the latest approved update version is paused, Autopatch automatically offers the next most recent and approved update version, which is now on the *other drivers* list. This behavior ensures that the last known-good driver update version that was approved can continue to install on devices, while the more recent recommended version remains paused. - - With this policy configuration, you can also choose to review the available updates to selectively approve, pause, or decline *any* update that remains available for devices with the policy. - -- **Configure policy to require manual approval of all updates**. This policy ensures that administrators must approve a driver update before it can be deployed. Newer versions of driver updates for devices with this policy are automatically added to the policy but remain inactive until approved. - -Later, when a newer driver update from the OEM is recommended for a device in the policy, the policy status updates to indicate there are drivers pending your review. This status becomes a call to action to review the policy and decide if you want to approve deployment of the newest drivers to devices. - -- **Manage which drivers are approved for deployment**. You can edit any driver update policy to modify which drivers are approved for deployment. You can pause the deployment of any individual driver update to stop its deployment to new devices, and then later reapprove the paused update to enable Windows Update to resume installing it on applicable devices. - -Regardless of the policy configuration and the drivers included, only approved drivers can install on devices. Additionally, Windows Update only installs the latest available and approved update when the version is more recent than the one currently installed on the device. - -Windows driver update management applies to: - -- Windows - -## Prerequisites - -To use Windows Driver Update management, your organization must have the following licenses, subscriptions, and network configurations: - -### Subscriptions - -- **Intune**: Your tenant requires the *Microsoft Intune Plan 1* subscription. - -- **Microsoft Entra ID**: *Microsoft Entra ID Free* (or greater) subscription. - -**Windows subscriptions and licenses**: - -Your organization must have one of the following subscriptions that include a license for Windows Autopatch: - -- Windows Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) -- Windows Education A3 or A5 (included in Microsoft 365 A3 or A5) -- Windows Virtual Desktop Access E3 or E5 -- Microsoft 365 Business Premium - -*Review your subscription details for applicability to Windows 11*. - -If you're blocked when creating new policies for capabilities that require Windows Autopatch and you get your licenses to use Windows Update client policies through an Enterprise Agreement (EA), contact the source of your licenses such as your Microsoft account team or the partner who sold you the licenses. The account team or partner can confirm that your tenants' licenses meet the Windows Autopatch license requirements. See [Enable subscription activation with an existing EA](/windows/deployment/deploy-enterprise-licenses#enable-subscription-activation-with-an-existing-ea). - -> [!IMPORTANT] -> [Enable subscription activation with an existing EA](/windows/deployment/deploy-enterprise-licenses#enable-subscription-activation-with-an-existing-ea) isn't applicable to GCC and GCC High/DoD cloud environments for Windows Autopatch capabilities. - -### Device & Edition requirements - -**Windows editions**: - -Driver updates are supported for the following Windows editions: - -- Pro -- Enterprise -- Education -- Pro for Workstations - -> [!NOTE] -> **Unsupported versions and editions**: -> *Windows Enterprise LTSC*: Feature updates, Driver updates, and Expedited Quality Update policies under Quality updates, available under the **Windows 10 and later** blade don't support the *Long Term Service Channel* (LTSC) release. Plan to use Update rings policies in Intune. - -**Devices must**: - -- Run a version of Windows that remains in support. - -- Be enrolled in Intune MDM and be Hybrid AD joined or Microsoft Entra joined. - -- Have Telemetry turned on and configured to report a minimum data level of *Basic* as defined in [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) in the Windows documentation. - - You can use one of the following Intune device configuration profile paths to configure Telemetry for Windows devices: - - **[Device restriction template](../../intune-service/configuration/device-restrictions-windows-10.md)**: With this profile, set **Share usage data** to **Required**. *Optional* is also supported. - - **[Settings catalog](../../intune-service/configuration/settings-catalog.md)**: From the Settings catalog, add **Allow Telemetry** from the **System** category, and set it to **Basic**. *Full* is also supported. - - For more information about Windows Telemetry settings, including both current and past setting options from Windows, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) in the Windows documentation. - -- The *Microsoft Account Sign-In Assistant* (wlidsvc) must be able to run. If the service is blocked or set to *Disabled*, it fails to receive the update. For more information, see [Feature updates aren't being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). By default, the service is set to *Manual (Trigger Start)*, which allows it to run when needed. - -- Have access to the network endpoints required by Intune managed devices. See [Network endpoints](../../intune-service/fundamentals/intune-endpoints.md#access-for-managed-devices). - -### Enable data collection for reports - -To support reports for Windows Driver updates, you must enable the use of Windows diagnostic data in Intune. It's possible that diagnostic data is already enabled for other reports, like Windows Feature updates and Expedited Quality update reports. -To enable the use of Windows diagnostic data: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Tenant administration** > **Connectors and tokens** > **Windows data**. - -2. Expand *Windows data* and ensure the setting **Enable features that require Windows diagnostic data in processor configuration** is toggled to **On**. - -For more information, see [Enable use of Windows diagnostic data by Intune](../../intune-service/protect/data-enable-windows-data.md). - -### GCC High support - -Intune policy for Driver Updates isn't currently supported with GCC High environments. - -### RBAC requirements - -To manage Windows Driver updates, your account must be assigned an Intune role-based access control (RBAC) role that includes the following permissions: - -- **Device configurations**: - - Assign - - Create - - Delete - - View Reports - - Update - - Read - -You can add the *Device configurations* permission with one or more rights to your own custom RBAC roles or use one the built-in **Policy and Profile manager** role, which includes these rights. - -For more information, see [Role-based access control for Microsoft Intune](../../intune-service/fundamentals/role-based-access-control.md). - -### Limitations for Workplace Joined devices - -Intune policies for *Driver updates for Windows 10 and later* require the use of Windows Update client policies and [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview). Where Windows Update client policies supports WPJ devices, Windows Autopatch provides for other capabilities that aren't supported for WPJ devices. - -For more information about WPJ limitations for Intune Windows Update policies, see [Policy limitations for Workplace Joined devices](configure.md). - -## Architecture - -:::image type="content" source="./images/driver-updates-overview/wdum-architecture.png" alt-text="A conceptual diagram of Windows Driver Update Management." lightbox="./images/driver-updates-overview/wdum-architecture.png"::: - -**Windows Driver Update Management architecture**: - -1. Microsoft Intune provides the Microsoft Entra IDs and Intune policy settings for devices to Windows Autopatch. Intune also provides the list of driver approvals and pause commands to Windows Autopatch. -2. Windows Autopatch configures Windows Updates based on the information provided by Intune. Windows Updates provides the applicable driver update inventory per device ID. -3. Devices send data to Microsoft so that Windows Update can identify the applicable driver updates for a device during its regular Windows Update scans for updates. Any approved updates install on the device. -4. Windows Autopatch reports Windows diagnostic data back to Intune for reports. - -## Plan for driver updates - -Before you create policies and manage the approval of drivers in your policies, we recommend constructing a driver update deployment plan that includes team members who can approve driver and firmware updates. Subjects to consider include: - -- When to use *automatic* driver approvals vs using *manual* driver approvals. - -- Use of deployment rings for driver update policies to limit installation of new driver updates to test groups of devices before broadly installing those updates on all devices. With this approach, your team can identify potential issues in an early ring before deploying updates broadly. Use of rings can provide you with time to pause a troublesome update in subsequent rings to delay or prevent its deployment. Examples of organizational approaches for rings include: - - - Structuring driver update policies for different device and hardware models, aligned with your organizational units, or a combination of both. - - - Using policy deferral periods for automatic updates and the *make available date* for manually approved updates, to align to your update rings for quality and feature updates schedules. - - You might also set the update availability for manually approved updates to match common update cycles like Microsoft's Patch Tuesday release. Alignment of schedules can help reduce extra system restarts that some driver updates require. - -- Assign devices to only one driver update policy to help prevent a device from having its drivers managed through more than one policy. This can help avoid having a driver installed by one policy when you previously declined or paused that same update in a separate policy. -For more information about planning deployments, see [Create a deployment plan](/windows/deployment/update/create-deployment-plan) in the Windows deployment documentation. - -## Frequently Asked Questions - -### Do policies for driver updates support Assignment Filters? - -- No. Driver Updates aren't currently supported with Assignment Filters. - -### Can I apply driver updates policy during Windows Autopilot? - -- No. Driver Updates aren't supported during Windows Autopilot at this time. - -> [!NOTE] -> Windows applies critical updates during Windows Autopilot. These updates may include critical driver updates that have not yet been approved by an admin. - -### Can I use policy to roll back a driver update? - -- No. Windows Update client policies don't currently support driver rollback. While rollback could be scripted, there are too many potential variables to provide a useful sample script for doing so. If you must remove a driver, consider manual methods like PowerShell. - -To help avoid issues that require rolling back a driver from large numbers of devices, use *deployment rings* to limit driver installation to small initial groups of devices. This approach allows time to evaluate the success or compatibility of a driver before broadly deploying it across your organization. - -- For policies with manual approvals, you must review and manually approve each driver before it can deploy to devices. While more work than policies with automatic approvals, manual approval can help avoid issues with automatically approved drivers. -- If you use policies with automatic approval, plan to monitor the policy for early signs of problems. If a driver update problem is identified in an early deployment ring, you can then pause that same update in your other policies. - -### Can I manage a device through multiple driver update policies? - -- While the use of multiple policies per device is supported, we don't recommend doing so. Instead, we recommend adding devices to a single policy to avoid confusion about whether a driver for a device is or isn't approved. - - Consider a device that receives driver updates from two policies. In one policy, a specific update is approved and in the other policy, that update is paused. Because the status of *approved* always wins, the driver installs on the device despite any other status for that update that is set in any other policy. - -### How can I reduce reboots on devices that receive driver updates? - -- Because it's not always clear in advance when an OEM releases a new update, or if that update requires a reboot, consider a regular pattern of update reviews. - - - For policies with manual approval, when you approve drivers and set an *approval available date*, you can set that date to an event like the monthly Patch Tuesday, or any other time of your choosing. - - For policies with automatic approval, you could pause a newly added and then return to approve it. When you reapprove any paused update, you can set an *approval available date*. - - To help mitigate this type of recurring challenge, we're evaluating changes that can mitigate the need to manually coordinate driver updates with *Patch Tuesday* updates. - -### Why has a driver disappeared from the list of available drivers in my policy? - -- When an OEM replaces a driver with a new recommended driver, the older driver can be moved to the *Other drivers* category. However, if that older driver is the same version or older than the drivers in use by all devices, that driver is entirely removed from the policy as there are no devices that can install it through Driver updates policies. - -### How do I remove older drivers from the driver list of my policies? - -- To ensure that the list of available drivers is up-to-date, drivers with older versions than those already installed across all devices targeted by a policy are no longer applicable. These older drivers are removed from the driver list of previously deployed and active policies. Only drivers that can update the driver version currently installed on a device targeted by a policy remain available in the policy. - - Installing drivers with older versions than those already present on a device isn't possible through driver update management. - -### What is the Windows Autopatch synchronization frequency? - -- Intune to Windows Autopatch syncs run each day, and you can use the *Sync* option to run a synchronization on demand. The time to complete a synchronization depends on the device information involved but should usually take only a few minutes to complete. - - Devices sync with the Windows Autopatch service each day when the device runs a Windows Update scan. - -### What drivers are available to be managed? - -- Any driver updates that are currently published to Windows Update and applicable to one or more devices in the policy are available through driver updates policies. - -### What about drivers that update a BIOS that is password locked. How does this work? - -- Updates that are published to Windows Update have a requirement to use a Windows mechanism that enables securely updating the firmware or driver without requiring the BIOS/UEFI to be unlocked. - -### If a vendor has their own app for scanning and installing driver and firmware updates, is there a delay in update availability between their app and Windows Autopatch? - -- The possibility of a delay depends on the vendor or OEM who determines the availability of their updates. Because driver updates are digitally signed by the same portal before they're published to Windows Updates, driver updates might become available through Windows Update before they become available via the vendors tools. - -### Why do my devices have driver updates installed that didn't pass through an updates policy? - -- These are likely *extension* drivers, which are "sub drivers" that a main driver can reference to be installed when the main driver is installed or updated. Extension drivers show up in the installed drivers or update history on the device, but aren't directly manageable. Because extension drivers don't function without base drivers, it's safe to allow them to install. -- Plug and Play can also install drivers automatically. When Windows detects new hardware or software (such as a mouse, keyboard, or webcam) without an existing driver, it installs the latest driver to ensure the component functions immediately. After the initial installation, any future updates to these drivers will require approval. - -### How quickly are paused updates actually paused? - -- Pause is a best effort, and when an update is paused, Windows Autopatch removes the approval. However, devices won't know that an update is paused until it's next scan for updates. - - If a device hasn't yet scanned for the update, then the paused update isn't offered, and *Pause* works as expected. - - If a device scans for updates and discovers an update is paused and that the device is in the process of downloading, installing, or waiting to restart, then Windows Update on the device attempts a "best effort" to remove that driver update from being installed. If it can't halt the installation, the update completes its installation. - - If an update completes its installation before the next scan for updates, nothing happens, and the update remains installed. - -### Where can I learn more about the available drivers? - -- You can get more information about drivers by copying the name and searching the catalog.update.microsoft.com website. - -### Do driver updates policies update drivers for plug-in devices? - -- Yes, if the driver updates are published to Windows Update by the OEM vendor. - -### Which driver updates can my device users see? - -- After a device is assigned to a driver update policy, optional drivers aren't shown to the end user. When the admin approves a driver update, it effectively becomes "required" and installs the next time the device scans for updates. - -### How do I use driver management if I'm currently using Configuration Manager for updates? - -You can continue to use Configuration Manager for updates other than Drivers, or start to move other update types to cloud management in Intune one at a time. To do this, first, enable [cloud attach](../../configmgr/cloud-attach/overview.md) or co-management in your Configuration Manager hierarchy to enroll your managed devices in Intune. - -The recommended and preferred path to embrace cloud based updates is to move the [Windows Update](../../configmgr/comanage/workloads.md#windows-update-policies) workload to Intune. If your organization isn't ready for this, you can use the Driver and Firmware management capability in Intune without moving the workload by completing the following steps: - -> [!NOTE] -> The following procedure only works and is supported for managed Windows 11 devices. For Windows 10 devices, we recommend moving the Windows Update workload in the Configuration Manager co-management settings to Intune. Alternatively, configure the Windows Update workload to the Pilot setting and specify a collection containing the in-scope Windows 10 managed devices. - - 1. Leave the [Windows Update](../../configmgr/comanage/workloads.md#windows-update-policies) workload set to Configuration Manager. - - 2. Configure your driver policies in Intune to enroll devices and get them ready for management as detailed at [Manage policy for Windows Driver updates with Microsoft Intune](driver-updates-policy.md). - - 3. Configure a domain-based group policy to configure **Windows Update** as the source for **Driver Updates** using the [Specify source for specific classes of Windows Updates policy](/windows/deployment/update/wufb-wsus). - - > [!NOTE] - > Because Configuration Manager uses a local group policy to configure the update source policy, using Intune or a CSP to attempt to configure these same settings result in an undefined and unpredictable device state. - - 4. Enable [data collection](reports.md#configuring-for-client-data-reporting) in Intune for devices that you wish to deploy drivers and firmware to. - - 5. [Optional] Enforce allowing diagnostic data submission using a policy. Diagnostic data submission to Microsoft enables the use of [Windows Update reports for Microsoft Intune](reports.md). - - > [!NOTE] - > By default, diagnostic data submission to Microsoft is allowed on Windows devices. Disabling diagnostic data collection prevents the use of Windows Update reports for Microsoft Intune from reporting any update information for your managed devices. - - Configure the **Allow Diagnostic data** setting to **Optional** or **Required** using a domain-based group policy or Intune. For more information on how to complete this task, go to: - - - [Use Group Policy to manage diagnostic data collection](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#use-group-policy-to-manage-diagnostic-data-collection) - - - [Use MDM to manage diagnostic data collection](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#use-mdm-to-manage-diagnostic-data-collection) - - 6. [Optional] Enable device name collection in diagnostic data. For more information on configuration using a domain-based group policy or Intune, see [Diagnostic data requirements](/windows/deployment/update/wufb-reports-prerequisites#diagnostic-data-requirements). - - > [!NOTE] - > Using Intune to configure any of the diagnostic data settings mentioned earlier requires that you move the [Device Configuration](../../configmgr/comanage/workloads.md#device-configuration) co-management workload to Intune. - - You can move Feature update management to the cloud in Intune by configuring a [Feature update](feature-updates.md) policy in Intune and setting the **Feature Updates** setting to **Windows Update** using the [Specify source for specific classes of Windows Updates policy](/windows/deployment/update/wufb-wsus) group policy. - - Using Update Ring policies in Intune for Quality or Feature Updates requires you to move the **Windows Update** workload to Intune. - -### Is there a way to set a deadline for drivers? - -The Quality Update deadline and grace period settings apply to drivers. - -Here are some more details on when deadlines are applied to drivers: - -- A driver is approved to be made available (manually or automatically) on a date. This is shown as the First Deployment. -- On first or initial scan the approved driver is offered to the device. The date the client's update scan initially discovered the update is also the start date and time for the deadline. -- The deadline calculation for both quality and feature updates is based off the time the client's update scan initially discovered the update. See [Enforcing compliance deadlines for updates](/windows/deployment/update/wufb-compliancedeadlines) - -### How do I set deferrals for drivers? - -- The deferral period set for Quality Updates within the Update Rings policy does not apply to drivers that are approved using the Driver Update Policy. Instead, use the deferral setting in the Driver policy to set a deferral. In fact, using multiple driver policies with different deferral settings to create driver deployment rings is highly recommended. Remember to only assign a device to one driver policy. - -> [!NOTE] -> The deferral period only applies to automatically approved driver and firmware updates. An admin must specify the date to start offering a driver with any manual approval. - -### Are the user experience settings from an Update Ring policy applied for driver updates? - -- Yes, user experience settings such as automatic update behavior, active hours, notifications, and so on, are applied for driver updates as well. - -### Why does it take up to 24 hours for the driver update inventory to be returned? - -- To make driver inventory available, there are several steps that must be completed. The most important is that after the policy is submitted and devices are enrolled for management, Windows Updates must wait for each device to do its daily scan for updates. This process occurs daily, so it can take up to 24 hours for all healthy devices to check in. After this, Intune needs to process the results of the scan to provide the inventory of available driver updates. - -## Next steps - -- [Create a Windows driver update policy](driver-updates-policy.md) -- [Use Windows driver update reports](reports.md#reports-for-windows-driver-updates-policy) diff --git a/intune/device-updates/windows/driver-updates-reports.md b/intune/device-updates/windows/driver-updates-reports.md new file mode 100644 index 00000000000..ca4b2f9e872 --- /dev/null +++ b/intune/device-updates/windows/driver-updates-reports.md @@ -0,0 +1,118 @@ +--- +title: Reports for Windows Driver Update Policies reports +description: Learn how to use Intune reports to monitor Windows driver updates for devices assigned to Windows Driver update policies. +ms.date: 01/12/2026 +ms.topic: how-to +ms.reviewer: zadvor +--- + +# Reports for Windows driver update policies + +Intune offers integrated reports to view detailed status for Windows driver updates for devices assigned to Windows Driver update policies. To use these reports, you must first configure the prerequisites and policies that support data collection from devices. These reports are applicable to Windows 10 and Windows 11. + +## Before you begin + +> [!div class="checklist"] +> - Ensure your environment meets the requirements in [Manage Windows driver updates](driver-updates.md#prerequisites). + +## Accessing driver updates reports + +The data in the Intune reports for Windows Driver update policies is used only for these reports and doesn't appear in other Intune reports. The following reports are available: + +- Windows Driver updates summary +- Windows Driver updates report +- Windows Driver update failures + +Select a tab to learn more about each report. + +# [**Driver updates summary**](#tab/summary) + +The *Windows Driver updates summary* report provides an overview of the status of driver updates across all your Windows Driver update policies. + +To access the Windows Driver updates summary report: + +1. In the [Microsoft Intune admin center][INT-AC], select **Reports** > **Windows Updates**. +1. Select the **Summary** tab and find the **Windows Driver updates** section: + :::image type="content" source="./images/reports/report-driver-updates-summary.png" alt-text="Screen capture of the Windows Driver Updates summary page." lightbox="./images/reports/report-driver-updates-summary.png"::: + +This report shows the status of driver updates for each policy. It displays the number of devices that are up-to-date (*Success*), failed (*Error*), paused (*Paused*), etc. for the driver updates in that policy. However, each device is only represented once in a single status column, based on the worst status across all of the updates that apply to that device. + +Intune ranks the following statuses in order of priority, from best (Success) to worst (NeedsReview): + +- **Success**: All applicable driver updates have installed successfully. +- **In progress**: At least one update remains in progress, and none have been paused, failed, or worse. +- **Paused**: At least one update has been paused, but none have failed to install, been cancelled, or are pending review. +- **Error**: At least one update failed to install, but none are cancelled or pending review. +- **Cancelled**: At least one update has been declined, but none are pending review. +- **NeedsReview**: One or more updates are new to the policy and pending review to approve or decline. + +For example: A policy might have three applicable driver updates for an assigned device. If one of the three fails to install on that device while the other two updates install successfully, the device is identified by adding one to the *Error* column. Once all three updates install successfully, the device is represented by adding one to the *Success* column and reducing the count of the *Error* column by one. + +This report doesn't support drilling in for more details about devices, driver updates, or policy details. + +# [**Driver updates**](#tab/updates) + +The Windows driver updates report allows you to select a single driver update and view details about the policies in which it's applicable for a device. This report provides information about the driver from all your driver update policies, offering a different perspective than other reports, which only provide details specific to a single policy. + +To access the Windows Driver updates report: + +1. In the [Microsoft Intune admin center][INT-AC], select **Reports** > **Windows Updates**. +1. Select the **Reports** tab and select the **Windows Driver Update Report** tile. + +In the following screen capture, the report shows details for the driver update *Microsoft: APPLIANCES: 1.0.0.1*. + +:::image type="content" source="./images/reports/report-driver-updates-drivers.png" alt-text="Screen capture of the Windows Driver updates report." lightbox="./images/reports/report-driver-updates-drivers.png"::: + +To change the focus of this report to a different driver: + +1. On the **Windows Driver updates** view, select **Select a driver update** to open the **Driver updates** pane. +1. The *Driver updates* pane displays a list of updates that are approved and applicable for at least one device from across all your driver update policies. +1. On the Driver updates pane, select a driver, and then **OK** to return to the Windows Driver updates report view that now shows information for the driver you selected, and select **Generate again** to update the report. + +In the following screen capture, only four drivers remain applicable to devices with driver update policies, and those four updates are different versions of the same driver update. + +:::image type="content" source="./images/reports/report-driver-updates-pane.png" alt-text="Screen capture of Driver Updates pane of a driver update policy." lightbox="./images/reports/report-driver-updates-pane.png"::: + +### Column details + +While most of the column details should be clear, the following warrant some explanation: + +- **Update State**: This column presents the most recent status of the selected driver update, as reported by each device to which it applies. Further details can be found in the *Update Substrate* column. + - **Cancelled**: The update was paused in the policy that applies to this device. + - **Offering**: The update is approved, but the device hasn't yet installed it. + - **Installed**: The update installed successfully. + - **Needs attention**: There's an installation issue for the update on this device. +- **Policy**: This column identifies the name of the policy in which the update was approved. +- **Last Scan Time**: This column provides insight into when a device last checked for updates. This can help explain why approved updates haven't installed. For instance, if the last scan time is several weeks old, it may indicate that the device is either offline or unable to connect to scan for updates. + +# [**Update failures**](#tab/failures) + +Windows driver updates include a report on driver update failures. + +To access the Windows Driver update failures report: + +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Monitor** > **Driver update policies with alerts**. +1. When you select the report, you can view a list of your update policies and see a count of devices in each policy that have at least one driver update error. + +By selecting that policy and entry, you can then view more information about the error, including: + +- Device Name +- Driver Name +- Driver Class +- Alert Message +- Deployment Error Code +- UPN +- Intune Device ID + +--- + +## Data retention + +As devices across all your updates policies install the latest versions of a driver update, older driver update versions that are no longer needed by any device drops off the driver updates list. However, this isn't necessarily an immediate event. Reporting data for driver updates remains available until the end of a data retention period is reached. This period is six months since the last time an event for the update is received. + +- If the update is approved and all applicable devices have installed the update, then six months after the last device updates is status, the update is removed from reporting details. +- Similarly, if an update is paused and shows no activity for the retention period, that update is also dropped from reporting details after six months. After an updates data ages out, if a paused update that remains applicable to a device is reapproved, subsequent status for that update begins to appear in reports. Previous data that aged out of reports won't be restored or available. + + + +[INT-AC]: https://go.microsoft.com/fwlink/?linkid=2109431 \ No newline at end of file diff --git a/intune/device-updates/windows/driver-updates.md b/intune/device-updates/windows/driver-updates.md new file mode 100644 index 00000000000..ad391689fe3 --- /dev/null +++ b/intune/device-updates/windows/driver-updates.md @@ -0,0 +1,43 @@ +--- +title: Manage Windows Driver Updates +description: Learn how to manage Windows driver updates using Intune driver update policies to keep Windows devices current and stable. +ms.date: 01/14/2026 +ms.topic: how-to +ms.reviewer: davguy; davidmeb; bryanke +--- + +# Manage Windows driver updates + +Windows driver updates provide updated device drivers and firmware that help ensure hardware compatibility, stability, and performance. These updates are released by device manufacturers and can include fixes for reliability issues, security vulnerabilities, and support for new hardware capabilities. Because driver updates can vary by device model and hardware configuration, organizations often prefer a more controlled approval process. + +In Microsoft Intune, Windows driver updates are managed through **driver update policies**, which provide a dedicated policy surface for reviewing, approving, and deploying driver updates to managed devices. This policy is built on cloud‑based update orchestration and works alongside other Windows update policies, such as feature updates and quality updates. Driver update policies can be used independently or as part of Windows Autopatch. Client‑side install behavior—such as restarts and user notifications—continues to be governed by standard Windows Update policy settings. + +Driver update policies support **automatic or manual approval workflows**, allowing you to choose whether recommended drivers are deployed automatically or require administrator review before installation. This approach helps organizations balance hardware stability, risk management, and operational efficiency while maintaining visibility into which drivers are approved for deployment. + +## Prerequisites + +[!INCLUDE [prerequisites-network](includes/prerequisites-network.md)] +[!INCLUDE [prerequisites-cloud](includes/prerequisites-cloud.md)] +[!INCLUDE [prerequisites-tenant](includes/prerequisites-tenant.md)] +[!INCLUDE [prerequisites-licensing](includes/prerequisites-licensing.md)] +[!INCLUDE [prerequisites-platform](includes/prerequisites-platform.md)] +[!INCLUDE [prerequisites-device-configuration](includes/prerequisites-device-configuration.md)] +[!INCLUDE [prerequisites-rbac](includes/prerequisites-rbac.md)] + +## Architecture + +The following diagram illustrates the high‑level architecture for managing Windows driver updates by using Microsoft Intune and Windows Autopatch. + +:::image type="content" source="./images/autopatch-ds.png" alt-text="A conceptual diagram of Windows driver update management." lightbox="./images/autopatch-ds.png" border="false"::: + +1. **Microsoft Intune** provides device identity, assignment, and driver update approval information. Intune sends policy settings, approved drivers, and pause commands to Windows Autopatch. +1. **Windows Autopatch** uses this information to configure Windows Update behavior for managed devices and to coordinate driver update deployment. +1. **Windows Update** evaluates device and hardware information to determine which driver updates are applicable, and installs only approved updates during regular update scans. +1. **Reporting data** collected during update operations is sent through Windows Autopatch and surfaced in Intune reporting. + +This architecture allows administrators to approve and control driver updates centrally in Intune while relying on Windows Update and Autopatch to determine applicability and handle installation. + +## Next steps + +> [!div class="nextstepaction"] +> [Learn how to configure driver update policies](driver-update-policy.md) diff --git a/intune/device-updates/windows/expedite-policy.md b/intune/device-updates/windows/expedite-policy.md new file mode 100644 index 00000000000..4edd33b1e0f --- /dev/null +++ b/intune/device-updates/windows/expedite-policy.md @@ -0,0 +1,225 @@ +--- +title: Expedite Policies for Windows Quality Updates +description: Learn how to use expedite policies in Microsoft Intune to quickly deploy a specific Windows security update, bypass deferrals, and monitor installation status across devices. +ms.date: 01/14/2026 +ms.reviewer: mobattul +ms.topic: how-to +--- + +# Expedite policies for Windows quality updates + +Expedite policies let you accelerate the installation of a specific Windows security update on devices you manage with Microsoft Intune. Expedited updates install as soon as possible, bypassing deferral settings and normal deployment timing, without requiring you to pause or modify your existing monthly update policies. + +You might use an expedite policy to quickly mitigate a critical security vulnerability when your standard update process wouldn't deploy the update soon enough. Expedite policies are designed for targeted, time‑bound scenarios and don't change how future quality updates are deployed. + +Not all updates are eligible for expediting. Only supported Windows security updates can be expedited. To manage regular monthly quality updates, continue using standard Windows Update mechanisms such as update rings or Windows quality update policies. + +## Before you begin + +> [!div class="checklist"] +> - Ensure your environment meets the requirements in [Windows quality updates overview](quality-updates.md#prerequisites). +> - To avoid conflicts or configurations that can block the installation of expedited updates, configure devices as follows. You can use *update ring policies* to manage these settings. +> +> | Update ring setting | Recommended value | +> |---------------------------|-------------------------------------| +> | Enable pre-release builds | This setting should be set to **Not configured**. Preview builds, including the Beta and Dev channels, are not supported with expedited updates. | +> | Automatic update behavior | **Reset to default**.
Other values might cause a poor user experience and slow the process to expedite updates. | +> | Change notification update level | Use any value other than **Turn off all notifications, including restart warnings**. | +> +> For more information about these settings, see [Policy CSP Update](/windows/client-management/mdm/policy-csp-update). +> +> - The following list of Group Policy settings can interfere with Expedited policy. On devices where these settings were managed by Group Policy, restore them to their defaults (Not configured): +> - **CorpWuURL** - Specify intranet Microsoft update service location. +> - **AutoUpdateCfg** - Configure Automatic Updates. +> - **DeferFeatureUpdates** - Select when Preview Builds and Feature Updates are received. +> - **Disable Dual Scan** - Don't allow update deferral policies to cause scans against Windows Update. + +### Update Health Tools + +For **Windows versions earlier than 24H2**, the Update Health Tools are required on devices to support expedited updates. The tools can be installed through [KB4023057](https://support.microsoft.com/topic/fccad0ca-dc10-2e46-9ed1-7e392450fb3a) or manually from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=103324). + +To confirm the presence of the Update Health Tools on a device: + +- Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Services* or *Add Remove Programs* for **Microsoft Update Health Tools**. +- As an Admin (or from Intune), run the following PowerShell script: + +```PowerShell +### Check for the Microsoft Update Health Service; if found, no remediation is needed. +if (Get-Service -Name "Microsoft Update Health Service" -ErrorAction SilentlyContinue) { + Write-Host "Microsoft Update Health Service is present." + Exit 0 +} else { + Write-Host "Microsoft Update Health Service is missing." + Exit 1 +} +``` + +If the script returns a `1`, the device has UHS client. If the script returns a `0`, the device doesn't have UHS client. + +## How expedited updates work + +When you create an expedite policy, you select a single supported Windows security update to deploy. The update is identified by its release date, which allows one policy to apply across multiple supported Windows versions without creating version‑specific policies. + +After the policy is assigned, Windows Update evaluates each targeted device to determine applicability. Evaluation accounts for the device's current build, architecture, and update state, and Windows Update delivers the appropriate version of the update when required. + +Only devices that need the update receive it: + +- Devices that already have the same update, or a newer applicable update, don't receive the expedited update. +- For devices on earlier builds, Windows Update verifies the update remains applicable before installation. + + > [!IMPORTANT] + > In some scenarios, Windows Update might install a newer update than the one specified in the expedite policy. This behavior ensures devices receive the latest applicable security update. For more information, see About installing the latest applicable update. + +Expedited updates begin installing after the device completes its next update scan and communicates with the service. The time required for installation to start can vary based on factors such as device connectivity, scan timing, and service processing. + +If a restart is required, you can configure a restart deadline that defines how long users have to restart their device before enforcement. Users can restart immediately, schedule a restart, or allow Windows to select a time outside active hours. Notifications inform users of the pending restart and deadline. + +If the device doesn't restart before the deadline, the restart can occur during working hours. For more information, see [Enforcing compliance deadlines for updates](/windows/deployment/update/wufb-compliancedeadlines). + +Expedite policies don't affect how future quality updates are deployed. To manage ongoing monthly servicing, use update ring policies or Windows quality update policies and their deadline settings. + +## Create and assign an expedited quality update + +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Windows Updates**. +1. Select the **Quality updates**. +1. Select **Create** > **Expedite policy**. +1. In **Settings**, enter the following properties to identify this profile: + + - **Name**: Enter a descriptive name for the profile. + - **Description**: Enter a description for the profile. This setting is optional but recommended. + - From the **Select the quality update you would like to Expedite** dropdown list, select the update that you want to expedite. The list includes only the updates you can expedite. + + > [!TIP] + > Optional Windows quality updates can't be expedited and won't be available. + + When selecting an update: + + - Updates are identified by their release date, and you can select only one update per policy. + - Updates that include the letter **B** in their name identify updates that released as part of a *patch Tuesday* event. The letter B identifies that the update released on the second Tuesday of the month. + - Security updates for Windows that release out of band from a *patch Tuesday* can be expedited. Instead of the letter B, *out-of-band* patch releases have different identifiers. + - When the update deploys, Windows Update ensures that each device that receives the policy installs a version of the update that applies to that devices architecture and its current Windows version, like version 24H2, 25H2, and so on. + + **Non-Security Expedite Updates**: includes quality fixes after the previous B / Security release. Admins can expedite installation of the latest applicable quality update on devices, without waiting for the deferral period. + + - Updates without the word **SecurityUpdate** indicate that it is not a security update. Updates that include the letter **D** in their name identify updates that are released since the latest *patch Tuesday* security week. You might also see 2024.01 OOB Update (*out-of-band* patch releases). [Windows monthly update explained](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-monthly-updates-explained/ba-p/3773544) + - Non-security updates are only shown when it is the most recent release. The drop-down list is updated to display the most recent two security updates, including if one is an out-of-band update. If the most recent non-security update is newer than the newest security update, then the non-security update is also included in the drop-down list. As a result, sometimes two updates are shown, and at other times, three updates are shown. + + > [!TIP] + > For more information, see the blog [Windows update servicing cadence - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-servicing-cadence/ba-p/222376). + + - The non-security expedite updates apply to Windows 11 devices. If Windows 10 devices are assigned to an Expedite policy that sets a **D** release, then those devices are not expedited and show an alert in the following reports. + +1. In **Settings**, configure **If a reboot is required, select the number of days before it's enforced**. For this setting, select how soon after installing the update a device will automatically restart to complete the update installation. You can select from zero to two days. The automatic restart is canceled if a device manually restarts before the deadline. If an update doesn't require a restart, this setting isn't enforced. + + - A setting of **0 days** means that as soon as the device installs the update, the user is notified about the restart and has limited time to save their work. + + > [!IMPORTANT] + > This experience can impact user productivity. Consider using it for those devices or updates that must complete and restart the device as soon as possible. + + - A setting of **1 day** or **2 days** provides device users flexibility to manage a restart before it's forced. These settings correspond to an automatic restart delay of 24 or 48 hours after the update installs on the device. + +1. In **Assignments**, select **Add groups** and then select device or user groups to assign the policy. +1. In **Review + create**, select **Create**. After the policy is created, it deploys to assigned groups. + +## Identify the latest applicable update + +There are some scenarios when your policy to expedite an update results in the installation of a more recent update than specified in policy. This result occurs when the newer update includes and surpasses the specified update, and that newer update is available before a device checks in to install the update that's specified in the expedite update policy. A detailed [example](#example-of-installing-an-expedited-update) of this scenario is provided later in this article. + +Installing the most recent quality update reduces disruptions to the device and user while applying the benefits of the intended update. This avoids having to install multiple updates, which each might require separate reboots. + +A more recent update is deployed when the following conditions are met: + +- The device isn't targeted with a deferral policy that blocks installation of a more recent update. In this case, the most recently available update that isn't deferred is the update that might install. + +- During the process to expedite an update, the device runs a new scan that detects the newer update. This can occur due to the timing of: + - When the device restarts to complete installation + - When the device runs its daily scan + - When a new update becomes available + + When a scan identifies a newer update, Windows Update attempts to stop installation of the original update, cancel the restart, and then starts the download and installation of the more recent update. + +While expedite update policies will override an update deferral for the update version that's specified in the policy, they don't override deferrals that are in place for any other update version. + +### Example of installing an expedited update + +The following sequence of events provides an example of how two devices, named *Test-1* and *Test-2*, install an update based on a quality update policy that's assigned to the devices. + +1. Each month, Intune administrators deploy the most recent Windows quality updates on the fourth Tuesday of the month. This period gives them two weeks after the patch Tuesday event to validate the updates in their environment before they force installation of the update. +1. On January 19, device *Test-1* and *Test-2* install the latest quality update from the patch Tuesday release on January 12. The next day, both devices are turned off by their users who are each leaving on vacation. +1. On the February 9, the Intune admin creates policy to expedite installation of the patch Tuesday release **02/09/2025 - 2025.02 B Security Updates for Windows** to help secure company devices against a critical threat that the update resolves. The expedite policy is assigned to a group of devices that includes both *Test-1* and *Test-2*. All devices in that group that are active receive and install the expedited update policy. +1. On the March 9 patch Tuesday event, a new quality update releases as **03/09/2025 - 2025.03 B Security Updates for Windows**. There are no critical issues that require an expedited deployment of this update, but admins do find a possible conflict. To provide time to review the possible issue, admins use a Windows update ring policy to create a seven-day deferral policy. All managed devices are prevented from installing this update until March 14. +1. Now consider the following results for *Test-1* and *Test-2*, based on when each is turned back on: + + - **Test-1** - On March 12, *Test-1* is powered back on, connects to the network, and receives expedited update notifications: + 1. Windows Update determines that *Test-1* still needs to expedite the update installation, per policy. + 1. Because the March 9 update supersedes the February update, Windows Update could install the March 9 update. + 1. There's an active deferral for the March update that won't expire until March 14. + + **Result**: With the deferral policy for the March update still active and blocking installation of that update, *Device-1* installs the February update as configured in policy. + + - **Test-2** - On March 20, *Test-2* is powered back on, connects to the network, and receives expedited update notifications: + 1. Windows Update determines that *Test-2* still needs to expedite the update installation, per policy. + 1. Because the March 9 update supersedes the February update, Windows Update could install the March 9 update. + 1. There's no longer an active deferral for the March update. + + **Result**: With the deferral policy for the March update having expired, *Test-2* installs the more recent March update, skipping over the February update and installing a later update than was specified in policy. + +## Manage expedite policies + +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Windows Updates**. +1. Select the **Quality updates** tab and then select the policy that you want to manage. The policy opens to its **Overview** pane. + +From this pane, you can: + +- Select **Delete** to delete the policy from Intune. Deleting a policy removes it from Intune but won't result in the update uninstalling if it has already completed installation. Windows Update will attempt to cancel any in-progress installations, but a successful cancellation of an in-progress install can't be guaranteed. +- Select **Properties** to modify the deployment. On the *Properties* pane, select **Edit** to open the *Settings*, *Scope tags*, or *Assignments*, where you can then modify the deployment. + +## Monitoring and reporting + +After you create an expedite policy you can monitor results, update status, and errors from the following reports. Select each tab to learn more about the reports. + +# [**Summary report**](#tab/summary) + +This report shows the current status of all devices targeted by an expedite policy and provides an overview of how many devices are installing the update, have completed installation, or have encountered an error. + +1. In the [Microsoft Intune admin center][INT-AC], select **Reports** > **Windows Updates**. +1. On the **Summary** tab you can view the **Windows Expedited Quality updates** table. +1. To drill in for more information, select the **Reports** tab, and then **Windows Expedited Update Report**. +1. Click the link **Select an expedited update profile**. +1. From the list of profiles that is shown on the right side of the page, select a profile to see results. +1. Select the **Generate report** button. + +# [**Device report**](#tab/device) + +This report can help you find devices with alerts or errors and can help you troubleshoot update issues. + +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Monitor**. +1. In the list of monitoring reports, select **Expedited quality update policies with alerts**. +1. From the list of profiles, select a profile to see results. + +### Update states + +| Update State | Update SubState | Definition | +|--------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Pending | Validating | The device has been added to the policy in the service and validation that the device can be expedited has begun. | +| Pending | Scheduled | Device has passed validation and will be expedited. | +| Offering | OfferReady | The expedite instructions have been sent to the device. | +| Installing | OfferReceived | Device scanned against Windows Update and the update is applicable but hasn't yet begun to download. | +| Installing | DownloadStart | The device has begun to download the update. | +| Installing | DownloadComplete | The device has downloaded the update. | +| Installing | InstallStart | The device has begun to install the update. | +| Installing | InstallComplete | The device has completed installing the update. Unless the update has an update error, the device should move quickly to *RestartRequired* or *UpdateInstalled*. | +| Installing | RestartRequired | The installation is complete and requires a restart. | +| Installing | RestartInitiated | The device has begun a restart. | +| Installing | RestartComplete | The device has completed the restart. | +| Installed | UpdateInstalled | Update has successfully completed. | + +## Next steps + +- Configure [update ring policies](update-rings.md) +- Configure [feature update policies](feature-update-policy.md) +- View [Windows release information](/windows/release-information/) + + + +[INT-AC]: https://go.microsoft.com/fwlink/?linkid=2109431 diff --git a/intune/device-updates/windows/expedite-updates.md b/intune/device-updates/windows/expedite-updates.md deleted file mode 100644 index 4b106e7dbee..00000000000 --- a/intune/device-updates/windows/expedite-updates.md +++ /dev/null @@ -1,322 +0,0 @@ ---- -title: Use Intune to expedite Windows quality updates -description: Use Microsoft Intune policy to expedite the installation of Windows updates on managed devices as soon as possible. -ms.date: 02/20/2025 -ms.topic: how-to -ms.reviewer: davguy;bryanke -#ms.custom: -ms.collection: -- M365-identity-device-management -- sub-updates ---- - -# Expedite Windows quality updates in Microsoft Intune - -With *Quality updates for Windows 10 and Later* policy, you can expedite the installation of the most recent Windows security updates on devices you manage with Microsoft Intune. Deployment of expedited updates is done without the need to pause or edit your existing monthly update policies. For example, you might expedite a specific update to mitigate a security threat when your normal update process wouldn't deploy the update for some time. - -Not all updates can be expedited. Currently, only Windows security updates that can be expedited are available to deploy with Quality updates policy. To manage regular monthly quality updates, use [Update rings for Windows 10 and later policies](update-rings.md). - -## How expedited updates work - -With expedited updates, you can expedite the installation of quality updates like the most recent *patch Tuesday* release or an out-of-band security update for a zero-day flaw. - -Expedited update policies temporarily override deferrals and other settings to install updates as quickly as possible. This process enables devices to start the download and installation of an expedited update without having to wait for the device to check in for updates. - -The actual time required for a device to start an update depends on the device internet connectivity, its scan timing, whether communication channels to the device are functioning, and other factors like cloud-processing time. - -- For each expedited update policy, you select a single update to deploy based on its release date. By using the release date, you don't have to create separate policies to deploy different instances of that update to devices that have different versions of Windows. - -- Windows Update evaluates the build and architecture of each device, and then delivers the version of the update that applies. - -- Only devices that need the update receive the expedited update: - - Windows Update doesn't try to expedite the update for devices that already have a revision that's equal to or greater than the update version. - - For devices with a lower build version than the update, Windows Update confirms that the device still requires the update before installing it. - - > [!IMPORTANT] - > In some scenarios, Windows Update can install an update that is more recent than the update you specify in expedite update policy. For more information about this scenario, see [About installing the latest applicable update](#identify-the-latest-applicable-update), later in this article. - -- Expedite update policies ignore and override any quality [update deferral periods](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) for the update version you deploy. You can configure quality updates deferrals by using Intune [Windows update rings](update-rings.md) and the setting for **Quality update deferral period**. - -- When a restart is required to complete installation of the update, the policy helps to manage the restart. In the policy, you can configure a period that users have to restart a device before the policy forces an automatic restart. Users can also choose to schedule the restart or let the device try to find the best time outside of the devices *Active Hours*. Before reaching the restart deadline, the device displays notifications to alert device users about the deadline and includes options to schedule the restart. - - If a device doesn't restart before the deadline, the restart can happen in the middle of the working day. For more information on restart behavior, see [Enforcing compliance deadlines for updates](/windows/deployment/update/wufb-compliancedeadlines). - -- Expedited updates are not recommended for normal monthly quality update servicing. Instead, consider using the *deadline settings* from an Update ring for Windows 10 and later policy. For information, see *Use deadline settings* under the user experience settings in [Windows update settings](settings.md#user-experience-settings). - -## Prerequisites - -> [!IMPORTANT] -> This feature isn't supported on GCC and GCC High/DoD cloud environments. -> -> [Enable subscription activation with an existing EA](/windows/deployment/deploy-enterprise-licenses#enable-subscription-activation-with-an-existing-ea) isn't applicable to GCC and GCC High/DoD cloud environments for Windows Autopatch capabilities. - -The following are requirements to qualify for installing expedited quality updates with Intune: - -**Licensing**: - -In addition to a license for Intune, your organization must have one of the following subscriptions that include a license for Windows Autopatch: - -- Windows Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) -- Windows Education A3 or A5 (included in Microsoft 365 A3 or A5) -- Windows Virtual Desktop Access E3 or E5 -- Microsoft 365 Business Premium - -Beginning in November of 2022, the Windows Autopatch license will be checked and enforced. - -If you're blocked when creating new policies for capabilities that require Windows Autopatch and you get your licenses to use Windows Update client policies through an Enterprise Agreement (EA), contact the source of your licenses such as your Microsoft account team or the partner who sold you the licenses. The account team or partner can confirm that your tenants licenses meet the Windows Autopatch license requirements. See [Enable subscription activation with an existing EA](/windows/deployment/deploy-enterprise-licenses#enable-subscription-activation-with-an-existing-ea). - -**Supported Windows versions**: - -- Windows versions that remain in support for Servicing, on x86 or x64 architecture - -Only update builds that are generally available are supported. Preview builds, including the Beta and Dev channels, are not supported with expedited updates. - -**Supported Windows 10/11 editions**: - -- Professional -- Enterprise -- Education -- Pro Education -- Pro for Workstations - -**Devices must**: - -- Be [enrolled in Intune](../../intune-service/fundamentals/deployment-guide-enrollment.md) MDM. - -- Be Microsoft Entra joined, or Microsoft Entra hybrid joined. Workplace Join isn't supported. - -- Have access to endpoints. To get a detailed list of endpoints required for the associated services listed here, see [Network endpoints](../../intune-service/fundamentals/intune-endpoints.md#access-for-managed-devices). - - - [Windows Update](/windows/privacy/manage-windows-1809-endpoints#windows-update) - - Windows Autopatch - - [Windows Push Notification Services](/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config): *(Recommended, but not required. Without this access, devices might not expedite updates until their next daily check for updates.)* - -- Be configured to get Quality Updates directly from the Windows Update service. - -- Have the *Update Health Tools* installed, which are installed with [KB 4023057](https://support.microsoft.com/topic/fccad0ca-dc10-2e46-9ed1-7e392450fb3a) or manually from [Microsoft Download - Update Health Tools](https://www.microsoft.com/download/details.aspx?id=103324). - -> [!NOTE] -> Windows 11, version 24H2 and above cannot apply *KB 4023057*, this is applicable only to Windows 11, version 23H2 and below. Upgrading to 24H2 removes *KB 4023057*, so checking for KB installation is no longer needed. - -To confirm the presence of the Update Health Tools on a device: - -- Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Services* or *Add Remove Programs* for **Microsoft Update Health Tools**. -- As an Admin (or from Intune), run the following PowerShell script: - -```PowerShell -### Check for the Microsoft Update Health Service; if found, no remediation is needed. -if (Get-Service -Name "Microsoft Update Health Service" -ErrorAction SilentlyContinue) { - Write-Host "Microsoft Update Health Service is present." - Exit 0 -} else { - Write-Host "Microsoft Update Health Service is missing." - Exit 1 -} -``` - -If the script returns a 1, the device has UHS client. If the script returns a 0, the device doesn't have UHS client. - -**Device settings**: - -To help avoid conflicts or configurations that can block installation of expedited updates, configure devices as follows. You can use Intune *Update rings for Windows 10 and later* policies to manage these settings. - -| Update ring setting | Recommended value | -|---------------------------|-------------------------------------| -| Enable pre-release builds | This setting should be set to **Not configured**. Preview builds, including the Beta and Dev channels, are not supported with expedited updates. | -| Automatic update behavior | **Reset to default**

Other values might cause a poor user experience and slow the process to expedite updates. | -| Change notification update level | Use any value other than **Turn off all notifications, including restart warnings** | - -For more information about these settings, see [Policy CSP – Update](/windows/client-management/mdm/policy-csp-update). - -Group Policy settings override mobile device management policies, and the following list of Group Policy settings can interfere with Expedited policy. On devices where these settings were managed by Group Policy, restore them to their device defaults (Not configured): - -- **CorpWuURL** - Specify intranet Microsoft update service location. -- **AutoUpdateCfg** - Configure Automatic Updates. -- **DeferFeatureUpdates** - Select when Preview Builds and Feature Updates are received. -- **Disable Dual Scan** - Don't allow update deferral policies to cause scans against Windows Update. - -**Monitoring and reporting**: - -Before you can monitor results and update status for expedited updates, your Intune tenant must enable [data collection](reports.md#configuring-for-client-data-reporting). - -### Limitations for Workplace Joined devices - -Intune policies for *Quality updates for Windows 10 and later* require the use of Windows Update client policies and [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview). Where Windows Update client policies supports WPJ devices, Windows Autopatch provides for additional capabilities that are not supported for WPJ devices. - -For more information about WPJ limitations for Intune Windows Update policies, see [Policy limitations for Workplace Joined devices](configure.md) in *Manage Windows software updates in Intune*. - -## Create and assign an expedited quality update - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -2. Select **Devices** > **Manage updates** > **Windows 10 and later updates**> **Quality updates** tab > **Create profile**. - - :::image type="content" source="./images/expedite-updates/create-quality-update-profile.png" alt-text="Screen capture of the Create profile UI."::: - -3. In **Settings**, enter the following properties to identify this profile: - - - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. - - - **Description**: Enter a description for the profile. This setting is optional but recommended. - -4. In **Settings**, configure **Expedite installation of quality updates if device OS version less than**. Select the update that you want to expedite from the drop-down list. The list includes only the updates you can expedite. - - > [!TIP] - > Optional Windows quality updates can't be expedited and won't be available to select. - - :::image type="content" alt-text="Screen capture of update selection UI." source="./images/expedite-updates/select-update.png" lightbox="./images/expedite-updates/select-update.png"::: - - When selecting an update: - - - Updates are identified by their release date, and you can select only one update per policy. - - - Updates that include the letter **B** in their name identify updates that released as part of a *patch Tuesday* event. The letter B identifies that the update released on the second Tuesday of the month. - - - Security updates for Windows that release out of band from a *patch Tuesday* can be expedited. Instead of the letter B, *out-of-band* patch releases have different identifiers. - - - When the update deploys, Windows Update ensures that each device that receives the policy installs a version of the update that applies to that devices architecture and its current Windows version, like version 1809, 2004, and so on. - - **Non-Security Expedite Updates**: includes quality fixes after the previous B / Security release. Admins can expedite installation of the latest applicable quality update on devices, without waiting for the deferral period. - - - Updates without the word **SecurityUpdate** indicate that it is not a security update. Updates that include the letter **D** in their name identify updates that are released since the latest *patch Tuesday* security week. You might also see 2024.01 OOB Update (*out-of-band* patch releases). [Windows monthly update explained](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-monthly-updates-explained/ba-p/3773544) - - - Non-security updates are only shown when it is the most recent release. The drop-down list is updated to display the most recent two security updates, including if one is an out-of-band update. If the most recent non-security update is newer than the newest security update, then the non-security update is also included in the drop-down list. As a result, sometimes two updates are shown, and at other times, three updates are shown. - - > [!TIP] - > For more information, see the blog [Windows update servicing cadence - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-servicing-cadence/ba-p/222376). - - - The non-security expedite updates apply to Windows 11 devices. If Windows 10 devices are assigned to an Expedite policy that sets a **D** release, then those devices are not expedited and show an alert in the following reports. - - **Reports** > **Windows Updates** > **Reports** Tab > **Windows Expedited Update Report** - - **Devices** > **Manage updates** > **Windows 10 and later updates** > **Monitor** tab > **Expedited quality update policies** with alerts tile, and click the title. - -5. In **Settings**, configure **Number of days to wait before forced reboot**. For this setting, select how soon after installing the update a device will automatically restart to complete the update installation. You can select from zero to two days. The automatic restart is canceled if a device manually restarts before the deadline. If an update doesn't require a restart, this setting isn't enforced. - - - A setting of **0 days** means that as soon as the device installs the update, the user is notified about the restart and has limited time to save their work. - - > [!IMPORTANT] - > This experience can impact user productivity. Consider using it for those devices or updates that must complete and restart the device as soon as possible. - - - A setting of **1 day** or **2 days** provides device users flexibility to manage a restart before it's forced. These settings correspond to an automatic restart delay of 24 or 48 hours after the update installs on the device. - - :::image type="content" alt-text="Screen capture of selecting days before forced reboot." source="./images/expedite-updates/select-reboot-time.png" lightbox="./images/expedite-updates/select-reboot-time.png"::: - -6. In **Assignments**, select **Add groups** and then select device or user groups to assign the policy. - -7. In **Review + create**, select **Create**. After the policy is created, it deploys to assigned groups. - -## Identify the latest applicable update - -There are some scenarios when your policy to expedite an update results in the installation of a more recent update than specified in policy. This result occurs when the newer update includes and surpasses the specified update, and that newer update is available before a device checks in to install the update that's specified in the expedite update policy. A detailed [example](#example-of-installing-an-expedited-update) of this scenario is provided later in this article. - -Installing the most recent quality update reduces disruptions to the device and user while applying the benefits of the intended update. This avoids having to install multiple updates, which each might require separate reboots. - -A more recent update is deployed when the following conditions are met: - -- The device isn't targeted with a deferral policy that blocks installation of a more recent update. In this case, the most recently available update that isn't deferred is the update that might install. - -- During the process to expedite an update, the device runs a new scan that detects the newer update. This can occur due to the timing of: - - When the device restarts to complete installation - - When the device runs its daily scan - - When a new update becomes available - - When a scan identifies a newer update, Windows Update attempts to stop installation of the original update, cancel the restart, and then starts the download and installation of the more recent update. - -While expedite update policies will override an update deferral for the update version that's specified in the policy, they don't override deferrals that are in place for any other update version. - -### Example of installing an expedited update - -The following sequence of events provides an example of how two devices, named *Test-1* and *Test-2*, install an update based on a *Quality updates for Windows 10 and Later* policy that's assigned to the devices. - -1. Each month, Intune administrators deploy the most recent Windows quality updates on the fourth Tuesday of the month. This period gives them two weeks after the patch Tuesday event to validate the updates in their environment before they force installation of the update. - -2. On January 19, device *Test-1* and *Test-2* install the latest quality update from the patch Tuesday release on January 12. The next day, both devices are turned off by their users who are each leaving on vacation. - -3. On the February 9, the Intune admin creates policy to expedite installation of the patch Tuesday release **02/09/2025 – 2025.02 B Security Updates for Windows** to help secure company devices against a critical threat that the update resolves. The expedite policy is assigned to a group of devices that includes both *Test-1* and *Test-2*. All devices in that group that are active receive and install the expedited update policy. - -4. On the March 9 patch Tuesday event, a new quality update releases as **03/09/2025 – 2025.03 B Security Updates for Windows**. There are no critical issues that require an expedited deployment of this update, but admins do find a possible conflict. To provide time to review the possible issue, admins use a Windows update ring policy to create a seven-day deferral policy. All managed devices are prevented from installing this update until March 14. - -5. Now consider the following results for *Test-1* and *Test-2*, based on when each is turned back on: - - - **Test-1** - On March 12, *Test-1* is powered back on, connects to the network, and receives expedited update notifications: - 1. Windows Update determines that *Test-1* still needs to expedite the update installation, per policy. - 2. Because the March 9 update supersedes the February update, Windows Update could install the March 9 update. - 3. There's an active deferral for the March update that won't expire until March 14. - - **Result**: With the deferral policy for the March update still active and blocking installation of that update, *Device-1* installs the February update as configured in policy. - - - **Test-2** - On March 20, *Test-2* is powered back on, connects to the network, and receives expedited update notifications: - 1. Windows Update determines that *Test-2* still needs to expedite the update installation, per policy. - 2. Because the March 9 update supersedes the February update, Windows Update could install the March 9 update. - 3. There's no longer an active deferral for the March update. - - **Result**: With the deferral policy for the March update having expired, *Test-2* installs the more recent March update, skipping over the February update and installing a later update than was specified in policy. - -## Manage policies to expedite quality updates - -In the admin center, go to **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows 10 and later updates** > **Quality updates** tab and select the policy that you want to manage. The policy opens to its **Overview** pane. - -From this pane, you can: - -- Select **Delete** to delete the policy from Intune. Deleting a policy removes it from Intune but won't result in the update uninstalling if it has already completed installation. Windows Update will attempt to cancel any in-progress installations, but a successful cancellation of an in-progress install can't be guaranteed. - -- Select **Properties** to modify the deployment. On the *Properties* pane, select **Edit** to open the *Settings*, *Scope tags*, or *Assignments*, where you can then modify the deployment. - -## Monitoring and reporting - -Before you can monitor results and update status for expedited updates, your Intune tenant must enable [data collection](reports.md#configuring-for-client-data-reporting). - -After a policy has been created you can monitor results, update status, and errors from the following reports. - -### Summary report - -This report shows the current state of all devices in the profile and provides an overview of how many devices are in progress of installing an update, have completed the installation, or have an error. - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -2. Select **Reports** > **Windows updates**. On the **Summary** tab you can view the **Windows Expedited Quality updates** table. - -3. To drill in for more information, select the **Reports** tab, and then **Windows Expedited Update Report**. - -4. Click the link **Select an expedited update profile**. - -5. From the list of profiles that is shown on the right side of the page, select a profile to see results. - -6. Select the **Generate report** button. - -### Device report - -This report can help you find devices with alerts or errors and can help you troubleshoot update issues. - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) - -2. Select **Devices** > **Monitor**. - -3. In the list of monitoring reports, scroll to the Software updates section and select **Windows Expedited update failures**. - -4. From the list of profiles that is shown on the right side of the page, select a profile to see results. - - :::image type="content" alt-text="Example of the device report." source="./images/expedite-updates/device-report.png" lightbox="./images/expedite-updates/device-report.png"::: - -### Update states - -| Update State | Update SubState | Definition | -|------------|------------------|-------------------| -| Pending | Validating | The device has been added to the policy in the service and validation that the device can be expedited has begun. | -| Pending | Scheduled | Device has passed validation and will be expedited. | -| Offering | OfferReady | The expedite instructions have been sent to the device. | -| Installing | OfferReceived | Device scanned against Windows Update and the update is applicable but hasn't yet begun to download. | -| Installing | DownloadStart | The device has begun to download the update. | -| Installing | DownloadComplete | The device has downloaded the update. | -| Installing | InstallStart | The device has begun to install the update. | -| Installing | InstallComplete | The device has completed installing the update. Unless the update has an update error, the device should move quickly to *RestartRequired* or *UpdateInstalled*. | -| Installing | RestartRequired | The installation is complete and requires a restart. | -| Installing | RestartInitiated | The device has begun a restart. | -| Installing | RestartComplete | The device has completed the restart. | -| Installed | UpdateInstalled | Update has successfully completed. | - -## Next steps - -- Configure [Update rings for Windows 10 and later](update-rings.md) -- Configure [Feature updates for Windows 10 and later](feature-updates.md) -- Use [Windows update compatibility reports](compatibility-reports.md) -- View [Windows release information](/windows/release-information/) diff --git a/intune/device-updates/windows/feature-update-policy.md b/intune/device-updates/windows/feature-update-policy.md new file mode 100644 index 00000000000..968e35a806d --- /dev/null +++ b/intune/device-updates/windows/feature-update-policy.md @@ -0,0 +1,152 @@ +--- +title: Configure Windows Feature Update Policies +description: Learn about Windows feature update polies and how to manage them in Microsoft Intune. +ms.date: 01/14/2026 +ms.topic: how-to +ms.reviewer: davidmeb; bryanke; davguy +--- + +# Configure Windows feature update policies + +Feature update policies in Microsoft Intune specify which Windows version devices are eligible to install and keep that version enforced until the policy is changed or removed. Use these policies to target a specific Windows release or to upgrade devices to a newer version according to your deployment plan. + +Feature update policies don't downgrade devices. If a device is already running a newer Windows version than the one targeted, the policy doesn't apply and the device continues running its current version. When a feature update installs, the latest applicable monthly quality update is automatically included as part of the upgrade. + +Feature update policies remain in effect until you modify or remove them. This behavior differs from pausing feature updates in update rings, which expires automatically after 35 days. + +## Before you begin + +> [!div class="checklist"] +> - Ensure your environment meets the requirements in [Windows feature updates overview](feature-updates.md#prerequisites). +> - Devices won't install a feature update if the targeted Windows version is blocked by a [*safeguard hold*](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds). +> - Safeguard holds are applied when known issues exist. Once the issue is resolved, the hold is removed and the device can update. +> - For details about known issues that can result in safeguard holds, see [Windows 11 release information](/windows/release-health/windows11-release-information). + +## Create and assign feature update policies + +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Windows**. +1. Select **Windows updates** > **Feature updates**. +1. Select **Create profile**. +1. Under **Deployment settings**: + - Specify a **Name** and an optional **Description** for the feature updates deployment. + - From the **Feature update to deploy** dropdown, select the Windows version you want to deploy. Only versions of Windows that remain in support are available to select. + - Select either: + - **Make available to users as a required update**: the device will automatically install the update based on device settings. + - **Make available to users as an optional update**: selected updates are made available to users as an optional update. The rollout settings still control when the update is available to the device but then the user must choose to install the update before it is installed on the device. This option requires a license for Windows Autopatch. +1. Under **Rollout options**, configure how and when the update is made available to devices that receive this policy. For more information, see [Rollout options for Windows Updates](rollout-options.md). +1. Select **Next** +1. Under **Assignments**, assign the policy to one or more device groups. Select **Next** to continue. +1. Under **Review + create**, review the settings. When ready to save the policy, select **Create**. + +## User experience + +The user experience for feature update policies depends on whether the update is offered as **Optional** or **Required**. + +When a feature update is available as **Optional**, users must open **Windows Update** in device settings to view the update and choose to install it. Users must select **Download** to begin installation. If no action is taken, the update isn't installed unless an administrator later changes the availability to **Required**. + +This experience matches the optional update behavior users see on personal Windows devices. It's recommended that administrators notify users through organizational communication channels when an optional feature update is made available. + +### Switching update availability + +Changing update availability affects devices differently depending on their installation state. + +**If an update is changed from Optional to Required:** +- Devices that have already installed the update aren't affected. +- Devices that haven't started installation install the update automatically during the next Windows Update scan. + +**If an update is changed from Required to Optional:** +- Devices that have already completed installation aren't affected. +- Devices that are pending restart typically continue installation as a required update. +- Only devices that haven't started installation, or are early in the installation process, switch to optional behavior. + +## How feature update policies are evaluated + +When a device is targeted by multiple feature update policies, Windows Update evaluates all applicable policies during update scans and determines which feature update to offer. + +Keep the following behavior in mind: + +- Each feature update policy can target only one Windows version. If a device is targeted by multiple policies, it can therefore be eligible for multiple feature updates. +- Windows Update offers only one feature update to a device at a time and always selects the **latest applicable version**. +- Windows 11 feature updates are always considered later versions than Windows 10 feature updates. If a Windows 10 device is targeted by both Windows 10 and Windows 11 feature update policies, the Windows 11 update is offered because upgrading from Windows 10 to Windows 11 is a supported upgrade path. + + +> [!NOTE] +> If two policies target the same feature update version for the same device and one policy is configured as **Required** while the other is **Optional**, the update is offered as **Required**. + +## Manage Winodws feature update policies + +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Windows**. +1. Select **Windows updates** > **Feature updates**. + +For each profile you can view: + +- **Feature Update Version**: The feature update version in the profile. + +- **Assigned**: If the profile is assigned to one or more groups. + +- **Support**: The status of the feature update: + - **Supported**: The feature update version is in support and can deploy to devices. + - **Support Ending** - The feature update version is within two months of its support end date. + - **Not supported**: Support for the feature update has expired and it no longer deploys to devices. + +- **Support End Date**: The end of support date for the feature update version. +> [!NOTE] +> The date provided is for the Enterprise and Education editions of Windows. To find the support dates for other editions supported by Windows Autopatch, see the [Microsoft Product Lifecycle site](https://aka.ms/lifecycle). + +Selecting a profile from the list opens the profiles **Overview** pane where you can: + +- Select **Delete** to delete the policy from Intune and remove it from devices. +- Select **Properties** to modify the deployment. On the *Properties* pane, select **Edit** to open the *Deployment settings or Assignments*, where you can then modify the deployment. + +> [!NOTE] +> The End user update status Last Scanned Time value will return *Not scanned yet* until a user logs on and Update Session Orchestrator (USO) scan is initiated. For more information on the Unified Update Platform (UUP) architecture and related components, see [Get started with Windows Update](/windows/deployment/update/windows-update-overview). + +## Co-management considerations + +If you co-manage devices with Configuration Manager, feature update policies might not immediately take effect on devices when you newly configure the [Windows Update policies workload](../../configmgr/comanage/workloads.md#windows-update-policies) to Intune. This delay is temporary but can initially result in devices updating to a later feature update version than is configured in the policy. + +To prevent this initial delay from impacting your co-managed devices: + +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Windows**. +1. Select **Windows updates** > **Feature updates**. +1. Select **Create profile**. +1. For **Deployment settings**, enter a name and a description for the policy. Then, specify the feature update you want devices to be running. +1. Complete the policy configuration, including assigning the policy to devices. The policy deploys to devices, though any device that already has the version you've selected, or a newer version, won't be offered the update.\ + Monitor the report for the policy. To do so, go to **Reports** > **Windows Updates** > **Reports** tab > **Feature Updates report**. Select the policy you created and then generate the report. +1. Devices that have a state of *OfferReady* or later, are enrolled for feature updates and protected from updating to anything newer than the update you specified in step 3. See [Use the Windows feature updates (Organizational) report](feature-updates-reports.md#accessing-feature-updates-reports). +1. With devices enrolled for updates and protected, you can safely change the *Windows Update policies* workload from Configuration Manager to Intune. See, [Switch workloads to Intune](/configmgr/comanage/how-to-switch-workloads) in the co-management documentation. + +## Move from update ring deferrals to feature update policies + +When managing feature updates in Intune, you can control Windows version availability using either update ring deferrals or feature update policies. If you use feature update policies, Microsoft recommends that you stop using feature update deferrals in update ring policies. + +Combining feature update deferrals with feature update policies adds unnecessary complexity and can delay or block feature updates. While update rings can continue to manage user experience settings—such as restart behavior and notifications—feature update policies should be the primary mechanism for controlling which Windows versions devices can install. + +When both policy types apply to a device, Windows Update evaluates the conditions of each policy. If feature update deferrals remain configured, this evaluation can result in unintended blocking or delayed offering of feature updates. + +### Plan the transition + +Plan the transition from update ring deferrals to feature update policies to ensure Windows Update offers the updates you intend. + +When Intune Windows update policies are created or modified, policy details are sent to the Windows Update service, which evaluates update applicability for each device. This evaluation typically completes within 10 minutes, but in some cases can take longer. + +If a device scans for updates after a deferral is removed but before Windows Update finishes processing the feature update policy, the device might be offered a feature update you didn't intend to deploy. + +### Switch to feature update policies + +Use the following process to ensure Windows Update processes the feature update policy before feature update deferrals are removed: + +1. In the Microsoft Intune admin center, create a feature update policy that targets the desired Windows version and assign it to the appropriate devices. After the policy is assigned, allow several minutes for Windows Update to process the policy. +1. Review the [Windows feature updates (Organizational)](feature-updates-reports.md#accessing-feature-updates-reports) report and verify that targeted devices show a state of **OfferReady**. This state indicates that Windows Update has completed policy processing. +1. After all targeted devices report **OfferReady**, update the applicable [update ring policy](update-rings.md) and set **Feature update deferral period (days)** to **0**. + +## Next steps + +- [Rollout options for Windows Updates](rollout-options.md) +- [Reports for Windows Feature Update Policies](feature-updates-reports.md) + + + +[INT-AC]: https://go.microsoft.com/fwlink/?linkid=2109431 \ No newline at end of file diff --git a/intune/device-updates/windows/feature-updates-reports.md b/intune/device-updates/windows/feature-updates-reports.md new file mode 100644 index 00000000000..90a32a5e559 --- /dev/null +++ b/intune/device-updates/windows/feature-updates-reports.md @@ -0,0 +1,192 @@ +--- +title: Reports for Windows Feature Update Policies +description: Learn about the reports available for Windows feature update policies in Microsoft Intune. +ms.date: 01/14/2026 +ms.topic: how-to +ms.reviewer: zadvor +--- + +# Reports for feature update policies + +Intune offers integrated reports to view detailed Windows update deployment status for devices using feature update policies. + +## Before you begin + +> [!div class="checklist"] +> - Ensure your environment meets the requirements in [Feature updates overview](feature-updates.md#prerequisites). + +### About reporting data latency + +The data for these reports is generated at different times, which depend on the type of data: + +- **Service-based data from Windows Update**: This data typically arrives in less than an hour after an event happens in the service. Events include Alerts for a device that can't register with Windows Update (which is viewable in the *Feature update failures report*), to status updates about when Windows Update began offering an update to clients. This data is available without configuring data collection. + +- **Client-based data from Intune devices that are configured to send data to Intune**: This data is processed in batches and refreshes every eight hours, but is only available after you configure data collection. The data contains information like when a client doesn't have enough disk space to install an update. This data is also used in the Windows feature updates organizational report to show the various installation steps a device moves through when installing feature updates. + +## Accessing feature updates reports + +The data in the Intune reports for feature update policies is used only for these reports and doesn't surface in other Intune reports. + +- Windows feature updates (Organizational): This report provides an overall view of compliance for devices on a per-policy basis. +- Feature update failures report (Operational): This report provides details on Alerts - errors, warnings, information, and recommendations - on a per-policy basis to help troubleshoot and optimize your devices. + +Select a tab to learn more about each report. + +# [**Feature updates report**](#tab/organizational) + +This report provides you update installation status that's based on the update state from device and device-specific update details. The data in this report is timely, calls out the device name and state, and other update-related details. This report also supports filtering, searching, paging, and sorting. + +To access the report: + +1. In the [Microsoft Intune admin center][INT-AC], select **Reports** > **Windows Updates**. The default view displays the **Summary** tab: + > [!div class="mx-imgBorder"] + > ![Enable data collection for Intune](./images/reports/windows-updates-summary.png) +1. Select **Windows Feature Update Report**. + - Select on **Select a feature update profile**, select a profile, and then **Generate report**. + - Select **Update status** and **Ownership** to refine the report. + > [!div class="mx-imgBorder"] + > ![Review ownership](./images/reports/windows-feature-updates-by-policy.png) + + The following list identifies the columns that are available in the view: + - **Devices**: The name of the device. + - **UPN**: Intune user identifier (email). + - **Intune Device ID**: Intune device identifier. + - **Microsoft Entra Device ID**: Microsoft Entra identifier for device. + - **Last Event Time**: The last time there was new data, or something happened for the device and update. + - **Update State**: The state of the update for the device. Initial state data is from the service-side, which is the status of the update in the system before it begins to install on the device. When client-side data is available, client-side data is shown, replacing the server-side data. + - **Update Substate**: A low-level detailed version of the Update State. + - **Update Aggregated Status**: A high-level summary of the Update State, like *In progress* or *Error*. + - **Alert Type**: When applicable, Alert Type displays the most recent alert message. + - **Alert Details**: *This column isn't in use.* + - **Last Scan Time**: The last time this device ran a scan for Windows Update. + - **Target Version**: This column is useful in policy reports as it shows the friendly name of the update being targeted on the device. This field can be particularly useful when the [win10 sxs] checkbox is selected to identify when and which devices were determined to be ineligible for the update and are now being targeted with the Win10 update. + + The following information applies to **Update State** and **Update Substate**: + + - **Service-side data**: + - **Pending**: + - **Validation**: The update can't be offered to the device because of a validation issue with the device and Windows Update. + - **Scheduled**: The update isn't ready to be offered to the device but is scheduled for offering at a later date. + - **On hold**: + - **Admin paused**: The update is on hold because the Deployment being paused by an explicit Administrator action. + - **ServicePaused**: The update is on hold because of an automatic action by Windows Update. + - **Canceled**: + - **Admin Cancelled**: The update offer was canceled by explicit Administrator action. + - **Service Cancelled**: The update was canceled by Windows Update for one of the following reasons: + - The *end of service* for the selected content was reached and it's no longer offered by Windows Update. For example, the device might have been added to a deployment after the content's availability expired, or the content reached its end of service date before it could install on the device. + - The deployment content has been superseded for the device. This can happen when the device is targeted by another deployment that deploys newer content. For example, one deployment targets the Windows 10 device to install version 2004 and a second deployment targets that same device with version 21H1. In this event, 2004 is superseded by the 21H1 deployment and Windows Update cancels the 2004 deployment to the device. + - **Removed from Deployment**: The update offer was canceled because it was removed from the Deployment by explicit Administrator action. + - **Not Supported** - The update was canceled by Windows Update as the device cannot be found in Azure Entra and is an invalid device. This can happen if the device is not Azure Entra joined or does not have a valid Device ID, Global Device ID. + - **Offering**: + - **OfferReady**: The update is currently being offered to the device by Windows Update. + + - **Client-side data**: + - **On Hold**: + - **Deferred**: Windows Update client policies are causing the device to defer the update being offered. + - **Offering**: + - **Offer Received**: The device scanned against Windows Update (WU) and identifies that the update is applicable but hasn't begun to download it. + - **Installing**: + - **Download Start**: The download process has begun. + - **Download Complete**: The download process has completed. + - **Install Start**: The pre-restart install process has started. + - **Install Complete**: The pre-restart install process has finished. If the update doesn't require a restart, the update process ends here. + - **Restart Required**: A restart is required to finish update. + - **Restart Initiated**: The device has gone into restart. + - **Restart Complete**: The device has come back from restart. + - **Installed**: + - **Update Installed**: The update successfully installed. + - **Uninstalling**: + - **Uninstall**: The device is actively uninstalling the update. + - **Rollback**: A rollback has been initiated to a previous update because of a serious issue during installation. + - **Update Uninstalled**: The update successfully uninstalled. + - **Rollback complete**: A rollback has completed. + - **Cancelled**: + - **User Cancelled**: A user canceled the update. + - **Device Cancelled**: The device canceled the update for a user. This action is usually because the update no longer applies. + + - **Other**: + - **Needs attention**: The device has some issue and needs attention. + +# [**Feature update failures**](#tab/operational) + +The **Feature update failures** operational report provides details for devices that you target with a feature update policy, and that have attempted to install an update. Devices in this report might have an Alert that prevents the device from completing installation of the update. + +This report provides insights to update installation status, including the number of devices with errors. It also supports drilling in for more details to help you troubleshoot issues with the installation. This report supports filtering, searching, paging, and sorting. + +To access the report: + +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Monitor** +1. Under *Software updates*, select **Feature update failures**. + + - The initial view displays a per-profile summary of how many devices have alerts for each of your profiles with the version of Windows that the profile targets: + + > [!div class="mx-imgBorder"] + > ![Per-profile view](./images/reports/update-failures-summary.png) + + - Selecting a profile opens a dedicated view that contains all active Alerts for that profile. + + - While viewing the active alerts for the profile: + + - Select an *Alert Message* to open a pane that displays more details for that alert: + > [!div class="mx-imgBorder"] + > ![Alert message details](./images/reports/alert-message-details.png) + + - Select the device name to open the Device page: + > [!div class="mx-imgBorder"] + > ![View the device page](./images/reports/device-details.png) + +The following list identifies Alert Messages, and suggested remediation actions: + +|Alert Message |Description |Recommendation | +|----|----|----| +| **CancelledByUser** | User canceled the update. | Retry the installation. | +| **DamagedMedia** | The update file or the hard drive is damaged. | Run **Chkdsk /F** on the device with administrator privileges, then retry the update. | +| **DeploymentConflict** | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | Remove the device from any deployments that shouldn't apply. | +| **DeviceRegistrationInvalidAzureADDeviceId**|The device isn't able to register or authenticate properly with Windows Update because of an invalid Microsoft Entra Device ID. | Check that the device is joined to the Microsoft Entra tenant making the request. | +| **DeviceRegistrationInvalidGlobalDeviceId** | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. | The Microsoft Account Sign-In Assistant (MSA) Service might be disabled, preventing Global Device ID assignment. Check that the MSA Service is running or able to run on the device. | +| **DeviceRegistrationIssue** | The device isn't able to register or authenticate properly with Windows Update. | Check that the device registration information is correct and the device can connect. | +| **DeviceRegistrationNoTrustType** | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | Check that the device is joined in Microsoft Entra ID using your account. If the issue persists, the device might need to be unenrolled from Intune first. | +| **DiskFull** | The installation couldn't complete because the Windows partition is full. | Free up disk space on the Windows partition. Retry the installation. | +| **DownloadCancelled** | Windows Update couldn't download the update because the update server stopped the connection. | Make sure your network is working and retry the download. If it still fails, check your WSUS server or contact support. | +| **DownloadConnectionIssue**| Windows Update couldn't connect to the update server and the update couldn't download. | Make sure your network is working and retry the download. If it still fails, contact support. | +| **DownloadCredentialsIssue**| Windows Update couldn't download the file because the Background Intelligent Transfer Service (BITS) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | Retry the download. If it fails again, review your network configuration to make sure that this computer can access the internet. If you need help, contact support. | +| **DownloadIssue** | There was an issue downloading the update. | Retry the installation. | +| **DownloadIssueServiceDisabled** | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | In the Services administration tool, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. If it won't start, check the event log for errors. | +| **DownloadTimeout** | A timeout occurred while Windows tried to contact the update service or the server containing the update's payload. | Retry the download. If it doesn't succeed, make sure that the update service and payload servers are running normally and that there are no network connectivity issues. | +| **EndOfService** | Device is on a version of Windows that has passed its end of service date. | Update device to a version that is currently supported. | +| **EndOfServiceApproaching**| Device is on a version of Windows that is approaching its end of service date. | Update the device to a version that has a longer remaining servicing timeline. | +| **FailureResponseThreshold**| The failure response threshold setting was met for a deployment to which the device belongs. | Consider pausing the deployment and assessing for issues. | +| **FailureResponseThresholdPause** | A deployment to which the device belongs was paused because of its failure response threshold being met. | Review devices that encountered issues. | +| **FileNotFound** | The downloaded update files can't be found. The Disk Cleanup utility or a non-Microsoft software cleaning tool might have removed the files during cleanup. | Download the update again, and then retry the installation. | +| **Incompatible** | The system doesn't meet the minimum requirements to install the update. | Review the *ScanResult.xml* file for **Block Type=Hard**. | +| **IncompatibleArchitecture**| This update is for a different CPU architecture. | Make sure the target operating system architecture matches the host operating system architecture. | +| **IncompatibleServicingChannel** | Device is in a servicing channel that is incompatible with a deployment to which the device belongs. | Configure the device's servicing channel to a retail (Generally Available) update channel. | +| **InstallAccessDenied** | Installer doesn't have permission to access or replace a file. The installer might have tried to replace a file that an antivirus, antimalware, or a backup program is currently scanning. | Retry the installation. | +| **InstallCancelled** | The installation was canceled. | Retry the installation. | +| **InstallFileLocked** | Installer couldn't access a file that is already in use. The installer might have tried to replace a file that an antivirus, antimalware, or backup program is currently scanning. | Check the files under the *%SystemDrive%\$Windows.~bt* directory. Retry the installation. | +| **InstallIssue** | There was an issue installing the update. | Run **dism /online /cleanup-image /restorehealth** on the device with administrator privileges, then retry the update. If the commands fail, a reinstall of Windows might be required. | +| **InstallIssueRedirection**| A known folder that doesn't support redirection to another drive might have been redirected to another drive. | Report this issue to Microsoft if this error is encountered more than a once. | +| **InstallMissingInfo** | Windows Update doesn't have information it needs about the update to finish the installation. | Another update might have replaced the one you're trying to install. Check the update, and then try reinstalling it. | +| **InstallOutOfMemory** | The installation couldn't complete because Windows ran out of memory. | Restart Windows, then try the installation again. If it still fails, allocate more memory to the virtual machine, or increase the size of the virtual memory pagefiles. | +| **InstallSetupError** | Windows Setup encountered an error while installing. | Check that the BIOS and drivers are up to date. Retry the download. | +| **InstallSystemError** | A system occurred while installing. | Check that the BIOS and drivers are up to date. Retry the download. | +| **PolicyConflict** | There are client policies (MDM, GP) that conflict with Windows Update settings. | Check that the client policies configured on the device don't conflict with deployment settings. | +| **PolicyConflictDeferral** | The Deferral Policy configured on the device is preventing the update from installing. | Check that the client policies configured on the device don't conflict with deployment settings. | +| **PolicyConflictPause** | Updates are paused on the device, preventing the update from installing. | Check that the client policies configured on the device don't conflict with deployment settings. | +| **PostRestartIssue** | Windows Update couldn't determine the results of installing the update. The error is usually false and the update probably succeeded. | If the update you're trying to install isn't available, no action is required. If the update is still available, retry the installation. | +| **RollbackInitiated** | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | Run the [Setup Diagnostics Tool](/windows/deployment/upgrade/setupdiag) on the Device. Don't retry the installation until the impact is understood. | +| **SafeguardHold** | Update can't install because of a known [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds). | View the *Deployment Error Code* column of the report to see the ID of the safeguard hold. Open the Windows release health dashboard at [https://aka.ms/WindowsReleaseHealth](/windows/release-health/) to view information about the active holds, including known issues with the update. | +| **UnexpectedShutdown** | The installation was stopped because a Windows shutdown or restart was in progress. | Ensure the device remains on during Windows installation. | +| **VersionMismatch** | Device is on a version of Windows that wasn't intended by Windows Update. | Confirm whether the device is on the intended version. | +| **WindowsRepairRequired** | The current version of Windows needs to be repaired before it can be updated. | Run the Startup Repair Tool on this device. | +| **WUBusy** | Windows Update can't do this task because it's busy. | Restart Windows. Retry the installation. | +| **WUComponentMissing** | Windows Update might be missing a component or the update file might be damaged. | Run **dism /online /cleanup-image /restorehealth** on the device with administrator privileges, and then retry the update. If the commands fail, a reinstall of Windows might be required. | +| **WUDamaged** | Windows Update or the update file might be damaged. | Run **dism /online /cleanup-image /restorehealth** on the device with administrator privileges, and then retry the update. If the commands fail, a reinstall of Windows might be required. | +| **WUDecryptionIssue** | Windows Update couldn't decrypt the encrypted update file because it couldn't find the proper key. | Retry the installation. | +| **WUDiskError** | Windows Update encountered an error while reading or writing to the system drive. | Run the Windows Update Troubleshooter on the device. Retry the installation. | +| **WUIssue** | Windows Update couldn't understand the metadata provided by the update service. This error usually indicates a problem with the update. | Contact support. | + + + + +[INT-AC]: https://go.microsoft.com/fwlink/?linkid=2109431 \ No newline at end of file diff --git a/intune/device-updates/windows/feature-updates-windows-10.md b/intune/device-updates/windows/feature-updates-windows-10.md new file mode 100644 index 00000000000..8de06951c16 --- /dev/null +++ b/intune/device-updates/windows/feature-updates-windows-10.md @@ -0,0 +1,48 @@ +--- +title: Upgrade Devices to Windows 11 Using Feature Updates +description: Learn how to upgrade Windows 10 devices to Windows 11 using feature updates in Microsoft Intune. +ms.date: 01/14/2026 +ms.topic: how-to +ms.reviewer: +--- + +# Upgrade devices to Windows 11 using feature updates + +You can use feature update policies to upgrade devices that run Windows 10 to Windows 11. + +When you use feature update policies to deploy Windows 11, you can target the policy to Windows 10 devices that meet the Windows 11 minimum requirements to upgrade them to Windows 11. Devices that don't meet the requirements for Windows 11 won't install the update and remain at their current Windows 10 version. + +Another option is to select the checkbox **When a device isn't capable of running Windows 11, install the latest Windows 10 feature update**, then devices that don't meet the requirements for Windows 11 will get the latest Windows 10 feature update instead. + +However, if a Windows 10 device that can't run Windows 11 is targeted with a Windows 11 update, future Windows 10 updates won't be offered to that device automatically. In this case, remove the not eligible device from the Windows 11 policy and assign the device to a Windows 10 feature update policy. + +## Prepare to upgrade to Windows 11 + +The first step in preparing for a Windows 11 upgrade is to ensure your devices meet the [minimum system requirements for Windows 11](/windows/whats-new/windows-11-requirements#hardware-requirements). + +You can use [endpoint analytics](../../endpoint-analytics/index.md) to determine which of your devices meet the hardware requirements. If some of your devices don't meet all the requirements, you can see exactly which ones aren't met. To use Endpoint analytics, your devices must be managed by Intune, co-managed, or have the Configuration Manager client with tenant attach enabled. + +If you're already using Endpoint analytics, navigate to the [Work from anywhere report](../../endpoint-analytics/work-from-anywhere.md), and select the Windows score category in the middle to open a flyout with aggregate Windows 11 readiness information. For more granular details, go to the Windows tab at the top of the report. On the Windows tab, you'll see device-by-device readiness information. + +## Licensing for Windows 11 versions + +Windows 11 includes a license agreement that can be viewed at [https://www.microsoft.com/useterms/](https://www.microsoft.com/useterms/). This license agreement is automatically accepted by an organization that submits a policy to deploy Windows 11. + +When you configure a policy in the Microsoft Intune admin center to deploy any Windows 11 version, the Microsoft Intune admin center displays a notice to remind you that by submitting the policy you are accepting the Windows 11 License Agreement terms on behalf of the devices, and your device users. After submitting the feature update policy, users won't see or need to accept the license agreement, making the update process seamless. + +This license reminder appears each time you select a Windows 11 build, even if all your Windows devices already run Windows 11. This prompt is provided because Intune doesn't track which devices will receive the policy, and its possible new devices that run Windows 10 might later enroll and be targeted by the policy. + +For more information including general licensing details, see the [Windows 11 documentation](/windows/whats-new/windows-11). + +## Create policy for Windows 11 + +To deploy Windows 11, you'll create and deploy a feature update policy just as you might have done previously for a Windows 10 device. It's the [same process](feature-updates.md) though instead of selecting a Windows 10 version, you'll select a Windows 11 version from the *Feature update to deploy* dropdown list. The dropdown list displays both Windows 10 and Windows 11 version updates that are in support. + +Also, the admin can choose to deploy the latest Windows 10 update to devices that are not eligible for Windows 11. To enable this feature, the admin must select the checkbox **When a device isn't capable of running Windows 11, install the latest Windows 10 feature update** in the deployment policy. This capability is only available if you choose a Windows 11 version from the *Feature update to deploy* dropdown list, and if the tenant meets the [licensing requirements](feature-updates.md#prerequisites) defined at the beginning of this document. + +With this capability, you do not need to create two different deployment policies or two different feature updates. With a single policy, you can get your Windows 10 devices that can't go to Windows 11 to upgrade to the latest Windows 10 version and all the devices that can go to Windows 11 to upgrade to a Windows 11 version that you choose. + +You cannot set the checkbox for an existing policy because changing the checkbox value ends the current deployment and starts two new deployments. To change your deployment settings, delete the current feature update policy and create a new policy with the checkbox selected. + +- Deploying an older Windows version to a device won't downgrade the device. Devices only install an update when it's newer than the devices current version. +- Deploying a Windows 11 update to a Windows 10 device that supports Windows 11, upgrades that device. diff --git a/intune/device-updates/windows/feature-updates.md b/intune/device-updates/windows/feature-updates.md index 732d0c044a8..569b0686d25 100644 --- a/intune/device-updates/windows/feature-updates.md +++ b/intune/device-updates/windows/feature-updates.md @@ -1,273 +1,61 @@ --- -title: Configure feature updates policy for Windows devices in Intune -description: Create and manage Intune policy for Windows feature updates. Configure and deploy policy to maintain the Windows feature version of Windows devices you manage with Microsoft Intune. -ms.date: 09/10/2024 +title: Manage Windows Feature Updates +description: Learn how to use Microsoft Intune policies to manage Windows feature updates. +ms.date: 01/14/2026 ms.topic: how-to ms.reviewer: davidmeb; bryanke; davguy -#ms.custom: -ms.collection: -- M365-identity-device-management -- sub-updates --- -# Feature updates for Windows 10 and later policy in Intune +# Manage Windows feature updates -With *Feature updates for Windows 10 and later* in Intune, you can select the Windows [feature update](/windows/deployment/update/get-started-updates-channels-tools#types-of-updates) version that you want devices to remain at. Intune supports setting a feature level to any version that remains in support at the time you create the policy. +Windows feature updates are periodic releases that introduce new Windows capabilities, improvements, and changes to existing functionality. These updates typically ship once per year and represent a full operating system upgrade, such as moving a device from one Windows version to a newer release. Because feature updates can affect user experience, application compatibility, and device readiness, organizations often deploy them using controlled and phased rollouts. -You can also use feature updates policy to [upgrade devices that run Windows 10 to Windows 11](#upgrade-devices-to-windows-11). +In Microsoft Intune, Windows feature updates are managed through **feature update policies**, which provide a dedicated policy surface for controlling which Windows version devices are offered and when that version can install. This policy uses cloud‑based update orchestration and can be used alongside other Windows update policies, such as quality updates and driver updates. Depending on your deployment model, feature updates may be managed manually through Intune or automatically through Windows Autopatch. Client‑side update behavior—such as restart experience and installation timing—continues to be influenced by standard Windows Update policy settings, including [update rings](update-rings.md) and [Windows Update client policies](/windows/deployment/update/waas-configure-wufb). -Windows feature updates policies work with your *Update rings for Windows 10 and later* policies to prevent a device from receiving a Windows feature version that's later than the value specified in the feature updates policy. - -When a device receives a policy for Feature updates: - -- The device updates to the version of Windows specified in the policy. A device that already runs a later version of Windows remains at its current version. By freezing the version, the devices feature set remains stable during the duration of the policy. - - > [!NOTE] - > A device won't install an update when it has a *safeguard hold* for that Windows version. When a device evaluates applicability of an update version, Windows creates the temporary safeguard hold if an unresolved known issue exists. Once the issue is resolved, the hold is removed and the device can then update. - > - > - Learn more about [safeguard holds](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) in the Windows documentation for *Feature Update Status*. - > - To learn about known issues that can result in a safeguard hold, see the applicable Windows release information and then reference the relevant Windows version from the table of contents for that page: - > - [Windows 11 release information](/windows/release-health/windows11-release-information) - - -- Unlike using *Pause* with an update ring, which expires after 35 days, the Feature updates policy remains in effect. Devices won't install a new Windows version until you modify or remove the Feature updates policy. If you edit the policy to specify a newer version, devices can then install the features from that Windows version. -- The ability to *Uninstall* the Feature update is still honored by the Update Rings. -- You can configure policy to manage the schedule by which Windows Update makes the offer available to devices. For more information, see [Rollout options for Windows Updates](rollout-options.md). -- When a Windows feature update is deployed to a device from the cloud service, the latest monthly quality update is automatically included. +Feature update policies allow you to **lock devices to a specific Windows release** or **target an upgrade to a newer version** while preventing devices from moving beyond that version. This approach helps ensure version compliance, reduce unexpected upgrades, and coordinate OS updates with application readiness and organizational rollout plans. ## Prerequisites -> [!IMPORTANT] -> This feature isn't supported on GCC and GCC High/DoD cloud environments. -> -> [Enable subscription activation with an existing EA](/windows/deployment/deploy-enterprise-licenses#enable-subscription-activation-with-an-existing-ea) isn't applicable to GCC and GCC High/DoD cloud environments for Windows Autopatch capabilities. - -The following are prerequisites for Intune's Feature updates for Windows 10 and later: - -- The core functionality of creating and targeting a feature update only requires a license for Intune. The core functionality includes creating the policy and selecting a feature update to update devices, using the **Make updates available as soon as possible** option or specifying a start date, and reporting. Capabilities supported by client policies on Professional SKU devices don't require a license. - -- Additional cloud-based functionality requires an additional license. To use a cloud-based capability, in addition to a license for Intune, your organization must have one of the following subscriptions that include a license for Windows Autopatch: - - - Windows Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) - - - Windows Education A3 or A5 (included in Microsoft 365 A3 or A5) - - - Windows Virtual Desktop Access E3 or E5 - - - Microsoft 365 Business Premium - - The cloud-based capabilities requiring the additional license are indicated in the *Create feature update deployment* or policy creation page and include the following items and potentially new features: - - - Gradual rollout: The [Gradual Rollout](rollout-options.md#make-updates-available-gradually) capability is a cloud only feature and includes basic controls for deploying a specified feature update and when to start making the update available to devices. - - [Optional feature updates](#create-and-assign-feature-updates-for-windows-10-and-later-policy) - - Windows 10 (SxS): The Windows 10 (SxS) feature is a cloud-only feature. If you're blocked when creating new policies for capabilities that require Windows Autopatch and you get your licenses to use Windows Update client policies through an Enterprise Agreement (EA), contact the source of your licenses such as your Microsoft account team or the partner who sold you the licenses. The account team or partner can confirm that your tenants licenses meet the Windows Autopatch license requirements. See [Enable subscription activation with an existing EA](/windows/deployment/deploy-enterprise-licenses#enable-subscription-activation-with-an-existing-ea). - -- Devices must: - - Run a version of Windows that remains in support. - - Be enrolled in Intune MDM and be Microsoft Entra hybrid joined or Microsoft Entra joined. - - Have Telemetry turned on, with a minimum setting of [*Required*](../../intune-service/configuration/device-restrictions-windows-10.md#reporting-and-telemetry). - - Devices that receive a feature updates policy and that have Telemetry set to *Not configured* (off), might install a later version of Windows than defined in the feature updates policy. - - Configure Telemetry as part of a [Device Restriction policy](../../intune-service/configuration/device-restrictions-configure.md) for Windows. In the device restriction profile, under *Reporting and Telemetry*, configure the **Share usage data** with a minimum value of **Required**. Values of **Enhanced (1903 and earlier)** or **Optional** are also supported. - - - The *Microsoft Account Sign-In Assistant* (wlidsvc) must be able to run. If the service is blocked or set to *Disabled*, it fails to receive the update. For more information, see [Feature updates aren't being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). By default, the service is set to *Manual (Trigger Start)*, which allows it to run when needed. - - - Have access to endpoints. To get a detailed list of endpoints required for the associated services listed here, see [Network endpoints](../../intune-service/fundamentals/intune-endpoints.md#access-for-managed-devices). - - [Windows Update](/windows/privacy/manage-windows-1809-endpoints#windows-update) - - Windows Autopatch - -- Enable [data collection](reports.md#configuring-for-client-data-reporting) in Intune for devices that you wish to deploy feature updates. - -- Feature updates are supported for the following Windows editions: - - Pro - - Enterprise - - Pro Education - - Education - - Pro for Workstations +[!INCLUDE [prerequisites-network](includes/prerequisites-network.md)] +[!INCLUDE [prerequisites-cloud](includes/prerequisites-cloud.md)] +[!INCLUDE [prerequisites-tenant](includes/prerequisites-tenant.md)] +[!INCLUDE [prerequisites-licensing](includes/prerequisites-licensing.md)] +[!INCLUDE [prerequisites-platform](includes/prerequisites-platform.md)] +[!INCLUDE [prerequisites-device-configuration](includes/prerequisites-device-configuration.md)] +[!INCLUDE [prerequisites-rbac](includes/prerequisites-rbac.md)] - > [!NOTE] - > **Unsupported versions and editions**: - > *Windows Enterprise LTSC*: Windows Update client policies does not support the *Long Term Service Channel* release. Plan to use alternative patching methods, like WSUS or Configuration Manager. +## Plan feature update deployments -### Limitations for Workplace Joined devices +When planning feature update deployments, consider how feature update policies interact with other Windows update settings and services in your tenant. -Intune policies for *Feature updates for Windows 10 and later* require the use of Windows Update client policies and [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview). Where Windows Update client policies supports WPJ devices, Windows Autopatch provides more capabilities that aren't supported for WPJ devices. +### Interaction with update rings -For more information about WPJ limitations for Intune Windows Update policies, see [Policy limitations for Workplace Joined devices](configure.md) in *Manage Windows 10 and Windows 11 software updates in Intune*. +If a device is targeted by both a feature update policy and an update ring policy, review the update ring configuration to avoid unintended delays: -## Limitations for Feature updates for Windows 10 and later policy +- Set **Feature update deferral period (days)** to **0** so deferrals in update rings don't delay feature updates controlled by the feature update policy. For more information, see [Move from update ring deferrals to feature update policies](feature-update-policy.md#move-from-update-ring-deferrals-to-feature-update-policies). +- Ensure feature updates in the update ring aren't paused. +- Client‑side behaviors such as restart experience, deadlines, and active hours continue to be governed by update rings and Windows Update client settings. -- When you deploy a *Feature updates for Windows 10 and later* policy to a device that also receives an *Update rings for Windows 10 and later* policy, review the update ring for the following configurations: - - We recommend setting the **Feature update deferral period (days)** to **0**. This configuration ensures your feature updates aren't delayed by update deferrals that might be configured in an update ring policy. - - Feature updates for the update ring must be *running*. They must not be paused. +### Deployment timing and enforcement - > [!TIP] - > If you're using feature updates, we recommend you set the Feature update deferral period to *0* in the associated Update Rings policy. Combining update ring deferrals with feature updates policy can create complexity that might delay update installations. - > - > For more information, see [Move from update ring deferrals to feature updates policy](configure.md#move-from-update-ring-deferrals-to-feature-updates-policy) +Feature update policies don't apply during Windows Autopilot out‑of‑box experience (OOBE). Instead, they take effect at the first Windows Update scan after provisioning is complete. -- Feature updates for Windows 10 and later policies can't be applied during the Windows Autopilot out of box experience (OOBE). Instead, the policies apply at the first Windows Update scan after a device has finished provisioning, which is typically a day. +When devices check in with the Windows Update service, group membership is evaluated against the security groups assigned to feature update policies. Any configured holds are enforced during this evaluation. -- If you co-manage devices with Configuration Manager, feature updates policies might not immediately take effect on devices when you newly configure the [Windows Update policies workload](../../configmgr/comanage/workloads.md#windows-update-policies) to Intune. This delay is temporary but can initially result in devices updating to a later feature update version than is configured in the policy. +Feature update policies also support scheduled and gradual deployments using rollout options. For details on configuring rollout timing, see [Rollout options for Windows Updates](rollout-options.md). - To prevent this initial delay from impacting your co-managed devices: +### Working with Windows Autopatch - 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - 2. Go to **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows 10 and later updates** > **Feature updates** tab > **Create profile**. - 3. For **Deployment settings**, enter a meaningful name and a description for the policy. Then, specify the feature update you want devices to be running. - 4. Complete the policy configuration, including assigning the policy to devices. The policy deploys to devices, though any device that already has the version you've selected, or a newer version, won't be offered the update. +Feature update policies can be used on their own or as part of Windows Autopatch. In Autopatch‑managed environments, the service uses feature update policies to coordinate controlled and phased OS upgrades. - Monitor the report for the policy. To do so, go to **Reports** > **Windows Updates** > **Reports** tab > **Feature Updates report**. Select the policy you created and then generate the report. - - 5. Devices that have a state of *OfferReady* or later, are enrolled for feature updates and protected from updating to anything newer than the update you specified in step 3. See [Use the Windows 10 feature updates (Organizational) report](reports.md#use-the-windows-10-feature-updates-organizational-report). - 6. With devices enrolled for updates and protected, you can safely change the *Windows Update policies* workload from Configuration Manager to Intune. See, [Switch workloads to Intune](/configmgr/comanage/how-to-switch-workloads) in the co-management documentation. - -- When the device checks in to the Windows Update service, the device's group membership is validated against the security groups assigned to the feature updates policy settings for any feature update holds. - -- Managed devices that receive feature update policy are automatically enrolled with the [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview). The service manages the updates a device receives. Microsoft Intune uses this service and works with your Intune policies for Windows updates to deploy feature updates to devices. - - When a device is no longer assigned to any feature update policies, the device remains enrolled in Autopatch. This change allows time to assign the device to a different policy and ensure that in the meantime the device doesn't receive a feature update that wasn't intended. - - As a result, when a feature updates policy no longer applies to a device, that device isn't offered any feature update until one of the following happens: +If a device managed by Autopatch is no longer targeted by a feature update policy, the device remains enrolled in Autopatch. This behavior helps prevent unintended upgrades while administrators adjust policy targeting or deployment plans. +As a result, when a feature update policy no longer applies to a device, that device isn't offered any feature update until one of the following happens: - The device is assigned to a new feature update profile. - The device is unenrolled from Intune, which unenrolls the device from feature update management by Autopatch. - You use the [Windows Autopatch graph API](/graph/windowsupdates-enroll) to [remove the device](/graph/api/windowsupdates-updatableasset-unenrollassets) from feature update management. -## Create and assign Feature updates for Windows 10 and later policy - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -2. Select **Devices** > **By platform** > **Windows** > **Windows 10 and later updates** > **Feature updates** tab > **Create profile**. - -3. Under **Deployment settings**: - - a. **Name**, **Description**: Specify a name, and a description (optional). - - b. **Required/Optional updates**: These options are only available when the target version is Windows 11. - - - When the default option **Make available to users as a required update** is selected, the device will automatically install the update based on device settings. - - When the admin selects the option **Make available to users as an optional update**, then the selected updates are made available to users as an optional update. The rollout settings still control when the update is available to the device but then the user must choose to install the update before it is installed on the device. - - **What the user sees on their device** - When the admin makes the update available as an **Optional** update, the user must navigate to the **Windows update settings** page to see and choose to install the update. It is recommended to communicate to end users through your communication channels that an optional update is available to them. - When the user navigates to the **Windows update settings** page, they can see and choose to install the update when they're willing to take the update. - Users have to click **Download** to install the update. Otherwise it doesn't get installed until the admin makes it a **Required** update. - It's the same optional update experience that users are familiar with in their personal PCs. - - When the admin switches from **Optional** to **Required**, the following behavior is observed: - - - Updates aren't reinstalled for people who went ahead and opted to install the update back when it was an **Optional** update. - - If a device has not started on an update, the next time the device checks for updates the update is treated and automatically installed as a **Required** update. - - When the admin switches from **Required** to **Optional**, the following behavior is observed: - - - Devices that have already installed the update are not impacted. - - Devices that are pending restart are likely to continue to install the update as a **Required** update. - - Switching only impacts devices that haven't started the update yet or were early enough in the update process so they could be changed to an **Optional** update. - - c. **Feature update to deploy**: select the specific version of Windows with the feature set you want deployed on your devices. Only versions of Windows that remain in support are available to select. - - d. **Rollout options**: Configure **Rollout options** to manage when Windows Updates makes the update available to devices that receive this policy. For more information about using these options, see [Rollout options for Windows Updates](rollout-options.md), and then select **Next**. - -4. Under **Assignments**, choose **+ Select groups to include** and then assign the feature updates deployment to one or more device groups. Select **Next** to continue. - -5. Under **Review + create**, review the settings. When ready to save the Feature updates policy, select **Create**. - - -## Upgrade devices to Windows 11 - -You can use policy for *Feature updates for Windows 10 and later* to upgrade devices that run Windows 10 to Windows 11. - -When you use feature updates policy to deploy Windows 11, you can target the policy to Windows 10 devices that meet the Windows 11 minimum requirements to upgrade them to Windows 11. Devices that don't meet the requirements for Windows 11 won't install the update and remain at their current Windows 10 version. - -Another option is to select the checkbox **When a device isn't capable of running Windows 11, install the latest Windows 10 feature update**, then devices that don't meet the requirements for Windows 11 will get the latest Windows 10 feature update instead. - -However, if a Windows 10 device that can't run Windows 11 is targeted with a Windows 11 update, future Windows 10 updates won't be offered to that device automatically. In this case, remove the not eligible device from the Windows 11 policy and assign the device to a Windows 10 feature update policy. See [Update behavior when multiple policies target a device](#update-behavior-when-multiple-policies-target-a-device). - -### Prepare to upgrade to Windows 11 - -The first step in preparing for a Windows 11 upgrade is to ensure your devices meet the [minimum system requirements for Windows 11](/windows/whats-new/windows-11-requirements#hardware-requirements). - -You can use [endpoint analytics](../../endpoint-analytics/index.md) to determine which of your devices meet the hardware requirements. If some of your devices don't meet all the requirements, you can see exactly which ones aren't met. To use Endpoint analytics, your devices must be managed by Intune, co-managed, or have the Configuration Manager client with tenant attach enabled. - -If you're already using Endpoint analytics, navigate to the [Work from anywhere report](../../endpoint-analytics/work-from-anywhere.md), and select the Windows score category in the middle to open a flyout with aggregate Windows 11 readiness information. For more granular details, go to the Windows tab at the top of the report. On the Windows tab, you'll see device-by-device readiness information. - -### Licensing for Windows 11 versions - -Windows 11 includes a new license agreement, which can be viewed at [https://www.microsoft.com/useterms/](https://www.microsoft.com/useterms/). This license agreement is automatically accepted by an organization that submits a policy to deploy Windows 11. - -When you configure a policy in the Microsoft Intune admin center to deploy any Windows 11 version, the Microsoft Intune admin center displays a notice to remind you that by submitting the policy you are accepting the Windows 11 License Agreement terms on behalf of the devices, and your device users. After submitting the feature updates policy, end users won't see or need to accept the license agreement, making the update process seamless. - -This license reminder appears each time you select a Windows 11 build, even if all your Windows devices already run Windows 11. This prompt is provided because Intune doesn't track which devices will receive the policy, and its possible new devices that run Windows 10 might later enroll and be targeted by the policy. - -For more information including general licensing details, see the [Windows 11 documentation](/windows/whats-new/windows-11). - -### Create policy for Windows 11 - -To deploy Windows 11, you'll create and deploy a feature updates policy just as you might have done previously for a Windows 10 device. It's the [same process](#create-and-assign-feature-updates-for-windows-10-and-later-policy) though instead of selecting a Windows 10 version, you'll select a Windows 11 version from the *Feature update to deploy* dropdown list. The dropdown list displays both Windows 10 and Windows 11 version updates that are in support. - -Also, the admin can choose to deploy the latest Windows 10 update to devices that are not eligible for Windows 11. To enable this feature, the admin must select the checkbox **When a device isn't capable of running Windows 11, install the latest Windows 10 feature update** in the deployment policy. This capability is only available if you choose a Windows 11 version from the *Feature update to deploy* dropdown list, and if the tenant meets the [licensing requirements](#prerequisites) defined at the beginning of this document. - -With this capability, you do not need to create two different deployment policies or two different feature updates. With a single policy, you can get your Windows 10 devices that can't go to Windows 11 to upgrade to the latest Windows 10 version and all the devices that can go to Windows 11 to upgrade to a Windows 11 version that you choose. - -You cannot set the checkbox for an existing policy because changing the checkbox value ends the current deployment and starts two new deployments. To change your deployment settings, delete the current feature update policy and create a new policy with the checkbox selected. - -- Deploying an older Windows version to a device won't downgrade the device. Devices only install an update when it's newer than the devices current version. -- Deploying a Windows 11 update to a Windows 10 device that supports Windows 11, [upgrades that device](#upgrade-devices-to-windows-11). - -## Update behavior when multiple policies target a device - -Consider the following points when feature update policies target a device with more than one update policy, or target a Windows 10 device with an update for Windows 11: - -- Each Windows feature update policy supports a single update. When a device is targeted by more than one policy, it might be targeted with multiple update versions. - -- The Windows Update service can only offer a device one feature update at a time, and always offers the latest update version that targets the device. - -- Because Windows 11 updates are considered to be later versions than Windows 10, the service always offers the Windows 11 update to a device targeted by both Windows 10 and Windows 11 updates. This is done because deploying a Windows 11 update to a Windows 10 device is a supported upgrade path. - -- Using the checkbox **When a device isn't capable of running Windows 11, install the latest Windows 10 feature update** when using multiple policies avoids the problems mentioned in this section and configures the service to detect when the Windows 11 is not eligible for a device and instead offers the latest Windows 10 feature update. - -> [!NOTE] -> If you create two policies with the same device/s, where one is set to **Required** and the other set to **Optional** and both policies target the same feature update version, then the update is offered as **Required**. - -## Manage Feature updates for Windows 10 and later policy - -In the admin center, go to **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows 10 and later updates** > **Feature updates** tab to view your profiles. - -For each profile you can view: - -- **Feature Update Version** – The feature update version in the profile. - -- **Assigned** – If the profile is assigned to one or more groups. - -- **Support**: The status of the feature update: - - **Supported** – The feature update version is in support and can deploy to devices. - - **Support Ending** - The feature update version is within two months of its support end date. - - **Not supported** – Support for the feature update has expired and it no longer deploys to devices. - -- **Support End Date** – The end of support date for the feature update version. -> [!NOTE] -> The date provided is for the Enterprise and Education editions of Windows. To find the support dates for other editions supported by Windows Autopatch, see the [Microsoft Product Lifecycle site](https://aka.ms/lifecycle). - -Selecting a profile from the list opens the profiles **Overview** pane where you can: - -- Select **Delete** to delete the policy from Intune and remove it from devices. -- Select **Properties** to modify the deployment. On the *Properties* pane, select **Edit** to open the *Deployment settings or Assignments*, where you can then modify the deployment. - -> [!NOTE] -> The End user update status Last Scanned Time value will return 'Not scanned yet' until an initial user logs on and Update Session Orchestrator (USO) scan is initiated. For more information on the Unified Update Platform (UUP) architecture and related components, see [Get started with Windows Update](/windows/deployment/update/windows-update-overview). - -## Validation and reporting - -There are multiple options to get in-depth reporting for Windows 10/11 updates with Intune. Windows update reports show details about your Windows 10 and Windows 11 devices side by side in the same report. - -To learn more, see [Intune compliance reports](reports.md). - ## Next steps -- Use [Windows update rings in Intune](update-rings.md) -- Use [Windows update compatibility reports](compatibility-reports.md) -- Use [Windows update reports](reports.md) for Windows 10/11 updates -- Also see [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) in the Windows deployment content for an alternative solution +> [!div class="nextstepaction"] +> [Learn how to manage Windows feature update policies](feature-update-policy.md) diff --git a/intune/device-updates/windows/hotpatch.md b/intune/device-updates/windows/hotpatch.md new file mode 100644 index 00000000000..bd99f960888 --- /dev/null +++ b/intune/device-updates/windows/hotpatch.md @@ -0,0 +1,134 @@ +--- +title: Use Hotpatch With Windows Quality Updates +description: Learn how hotpatch works with Windows quality update policies in Microsoft Intune to install eligible security updates without requiring an immediate device restart. +ms.date: 01/13/2026 +ms.reviewer: mobattul +ms.topic: how-to +--- + +# Hotpatch for Windows quality updates + +Windows quality update policies in Microsoft Intune support **hotpatch**, a deployment capability designed to reduce device downtime and user disruption. Hotpatch applies eligible **Monthly B security updates** so that they take effect without requiring an immediate device restart. + +Hotpatch is an extension of Windows Update and is managed through **Windows Autopatch** using quality update policies. When enabled, Autopatch orchestrates the deployment of hotpatch updates to eligible devices enrolled in the Autopatch quality update policy. This approach helps organizations maintain security compliance while minimizing workflow interruptions. + +### Key benefits + +- **Reduced disruption**: Hotpatch installs eligible security updates without requiring an immediate device restart, helping users stay productive. +- **No changes to existing update rings**: Existing update ring configurations remain in effect and are honored alongside hotpatch configurations. +- **Policy‑level visibility**: The hotpatch quality updates report provides a policy‑level view of update status for devices receiving hotpatch updates. + +## Prerequisites + +Hotpatch has the same [prerequisites](quality-updates.md#prerequisites) as Windows quality update policies. This section highlights additional prerequisites specific to hotpatch. + +:::row::: +:::column span="1"::: +[!INCLUDE [device-configuration](../../includes/requirements/device-configuration.md)] + +:::column-end::: +:::column span="3"::: +> To prepare a device to receive hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the hotpatch update and to apply all hotpatch updates. +> +>**Virtualization based security (VBS)**\ +>VBS must be turned on for a device to be offered hotpatch updates. For information on how to set and detect if VBS is enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). +> +>> [!NOTE] +>> Devices might be temporarily ineligible because they don't have VBS enabled or aren't currently on the latest baseline release. To ensure that all your Windows devices are configured properly to be eligible for hotpatch updates, see [Troubleshoot hotpatch updates](/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates). +> +>**Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)** +> +> > [!IMPORTANT] +> > Arm 64 device support is in public preview. +> +> To ensure all the hotpatch updates are applied, you must set the **Compiled Hybrid Portable Executable** (CHPE) disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. +> +> This requirement only applies to Arm 64 CPU devices when using hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries. +> +> To disable CHPE, create and/or set the following DWORD registry key: +> +> Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management DWORD key value: HotPatchRestrictions=1` +> +> To learn more about CHPE, see [here](/windows/win32/winprog64/wow64-implementation-details) +> +> > [!NOTE] +> > There are no plans to support hotpatch updates on Arm64 devices with CHPE enabled. Disabling CHPE is required only for Arm64 devices. AMD and Intel CPUs don't have CHPE. +> If you choose to no longer use hotpatch updates, clear the CHPE disable flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. +:::column-end::: +:::row-end::: + +### Ineligible devices + +Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases. + +LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant. + +> [!NOTE] +> If devices aren't eligible for hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings. + +## Release cycles + +For more information about the release calendar for hotpatch updates, see [Release notes for hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1). + +- Baseline: Includes the latest security fixes, cumulative new features, and enhancements. Restart required. +- Hotpatch: Includes security updates. No restarted required. + +| Quarter | Baseline updates (requires restart) | Hotpatch (no restart required) | +| ----- | ----- | ----- | +| 1 | January | February and March | +| 2 | April | May and June | +| 3 | July | August and September | +| 4 | October | November and December | + +## Hotpatch on Windows 11 Enterprise or Windows Server 2025 + +> [!NOTE] +> Hotpatch is also available on Windows Server and Windows 365. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition). + +Hotpatch updates are similar between Windows 11 and Windows Server 2025. + +- Windows Autopatch manages Windows 11 updates +- Azure Update Manager and optional Azure Arc subscription for Windows 2025 Datacenter/Standard Editions (on-premises) manages Windows Server 2025 Datacenter Azure Edition. + +The calendar dates, eight hotpatch months, and four baseline months, planned each year are the same for all the hotpatch-supported operating systems. It's possible for additional baseline months for one OS (for example, Windows Server 2022), while there are hotpatch months for another OS, such as Server 2025 or Windows 11, version 24H2. Review the release notes from [Windows release health](/windows/release-health/) to keep up to date. + +## Enroll devices to receive hotpatch updates + +> [!NOTE] +> If you're using Autopatch groups and want your devices to receive hotpatch updates, you must create a hotpatch policy and assign devices to it. Turning on hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group. + +To enroll devices to receive hotpatch updates: + +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Windows updates**. +1. Select the **Quality updates** tab. +1. Select **Create**, and select **Windows quality update policy**. +1. Under the **Basics** section, enter a name for your new policy and select **Next**. +1. Under the **Settings** section, set **When available, apply without restarting the device ("hotpatch")** to **Allow**. Then, select **Next**. +1. Select the appropriate Scope tags or leave as Default. Then, select **Next**. +1. Assign the devices to the policy and select **Next**. +1. Review the policy and select **Create**. + +These steps ensure that targeted devices, which are [eligible](#prerequisites) to receive hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU). + +> [!NOTE] +> Turning on hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply. + +## Roll back a hotpatch update + +Automatic rollback of a hotpatch update isn't supported but you can uninstall them. If you experience an unexpected issue with hotpatch updates, you can investigate by uninstalling the hotpatch update and installing the latest standard cumulative update (LCU) and restart. Uninstalling a hotpatch update is quick, however, it requires a device restart. + +## Hotpatch quality updates report + +After a Windows quality update policy has been created with hotpatch updates enabled, you can monitor results, hotpatch deployment status, and errors from the reports. + +This report shows the total targeted devices and current update states of all hotpatch update enabled devices. + +To access the report: + +1. In the [Microsoft Intune admin center][INT-AC], select **Reports** +1. Under the **Windows Autopatch** section, select **Windows quality updates** +1. On the **Reports** tab, select **Hotpatch quality updates report**. + + + +[INT-AC]: https://go.microsoft.com/fwlink/?linkid=2109431 \ No newline at end of file diff --git a/intune/device-updates/windows/icons/client-policy.svg b/intune/device-updates/windows/icons/client-policy.svg new file mode 100644 index 00000000000..eed45b964fd --- /dev/null +++ b/intune/device-updates/windows/icons/client-policy.svg @@ -0,0 +1,10 @@ + + + + + + + + + + diff --git a/intune/device-updates/windows/icons/delete.svg b/intune/device-updates/windows/icons/delete.svg new file mode 100644 index 00000000000..130e71d5f2c --- /dev/null +++ b/intune/device-updates/windows/icons/delete.svg @@ -0,0 +1,3 @@ + + + diff --git a/intune/device-updates/windows/icons/driver-update.svg b/intune/device-updates/windows/icons/driver-update.svg new file mode 100644 index 00000000000..2e7c483beb7 --- /dev/null +++ b/intune/device-updates/windows/icons/driver-update.svg @@ -0,0 +1,10 @@ + + + + + + + + + + diff --git a/intune/device-updates/windows/icons/extend.svg b/intune/device-updates/windows/icons/extend.svg new file mode 100644 index 00000000000..ef9627c5b7c --- /dev/null +++ b/intune/device-updates/windows/icons/extend.svg @@ -0,0 +1,10 @@ + + + + + + + + + + diff --git a/intune/device-updates/windows/icons/feature-update.svg b/intune/device-updates/windows/icons/feature-update.svg new file mode 100644 index 00000000000..16b591fa515 --- /dev/null +++ b/intune/device-updates/windows/icons/feature-update.svg @@ -0,0 +1,10 @@ + + + + + + + + + + diff --git a/intune/device-updates/windows/icons/pause.svg b/intune/device-updates/windows/icons/pause.svg new file mode 100644 index 00000000000..eb49c1dcbb3 --- /dev/null +++ b/intune/device-updates/windows/icons/pause.svg @@ -0,0 +1,3 @@ + + + diff --git a/intune/device-updates/windows/icons/quality-update.svg b/intune/device-updates/windows/icons/quality-update.svg new file mode 100644 index 00000000000..f9142f1a114 --- /dev/null +++ b/intune/device-updates/windows/icons/quality-update.svg @@ -0,0 +1,10 @@ + + + + + + + + + + diff --git a/intune/device-updates/windows/icons/resume.svg b/intune/device-updates/windows/icons/resume.svg new file mode 100644 index 00000000000..3464243804b --- /dev/null +++ b/intune/device-updates/windows/icons/resume.svg @@ -0,0 +1,3 @@ + + + diff --git a/intune/device-updates/windows/icons/uninstall.svg b/intune/device-updates/windows/icons/uninstall.svg new file mode 100644 index 00000000000..fdaa1833c47 --- /dev/null +++ b/intune/device-updates/windows/icons/uninstall.svg @@ -0,0 +1,3 @@ + + + diff --git a/intune/device-updates/windows/icons/update-ring.svg b/intune/device-updates/windows/icons/update-ring.svg new file mode 100644 index 00000000000..ae53399ff2e --- /dev/null +++ b/intune/device-updates/windows/icons/update-ring.svg @@ -0,0 +1,10 @@ + + + + + + + + + + diff --git a/intune/device-updates/windows/images/autopatch-ds.png b/intune/device-updates/windows/images/autopatch-ds.png new file mode 100644 index 00000000000..fb2f8e4d591 Binary files /dev/null and b/intune/device-updates/windows/images/autopatch-ds.png differ diff --git a/intune/device-updates/windows/images/driver-updates-policy/bulk-actions.png b/intune/device-updates/windows/images/driver-update-policy/bulk-actions.png similarity index 100% rename from intune/device-updates/windows/images/driver-updates-policy/bulk-actions.png rename to intune/device-updates/windows/images/driver-update-policy/bulk-actions.png diff --git a/intune/device-updates/windows/images/driver-updates-policy/drivers-to-review.png b/intune/device-updates/windows/images/driver-update-policy/drivers-to-review.png similarity index 100% rename from intune/device-updates/windows/images/driver-updates-policy/drivers-to-review.png rename to intune/device-updates/windows/images/driver-update-policy/drivers-to-review.png diff --git a/intune/device-updates/windows/images/driver-updates-policy/manage-driver-pane.png b/intune/device-updates/windows/images/driver-update-policy/manage-driver-pane.png similarity index 100% rename from intune/device-updates/windows/images/driver-updates-policy/manage-driver-pane.png rename to intune/device-updates/windows/images/driver-update-policy/manage-driver-pane.png diff --git a/intune/device-updates/windows/images/driver-updates-policy/other-drivers.png b/intune/device-updates/windows/images/driver-update-policy/other-drivers.png similarity index 100% rename from intune/device-updates/windows/images/driver-updates-policy/other-drivers.png rename to intune/device-updates/windows/images/driver-update-policy/other-drivers.png diff --git a/intune/device-updates/windows/images/driver-updates-policy/recommended-drivers.png b/intune/device-updates/windows/images/driver-update-policy/recommended-drivers.png similarity index 100% rename from intune/device-updates/windows/images/driver-updates-policy/recommended-drivers.png rename to intune/device-updates/windows/images/driver-update-policy/recommended-drivers.png diff --git a/intune/device-updates/windows/images/driver-updates-overview/wdum-architecture.png b/intune/device-updates/windows/images/driver-updates-overview/wdum-architecture.png deleted file mode 100644 index a4175a811c7..00000000000 Binary files a/intune/device-updates/windows/images/driver-updates-overview/wdum-architecture.png and /dev/null differ diff --git a/intune/device-updates/windows/images/driver-updates-policy/view-update-list-1.png b/intune/device-updates/windows/images/driver-updates-policy/view-update-list-1.png deleted file mode 100644 index 4caec094c35..00000000000 Binary files a/intune/device-updates/windows/images/driver-updates-policy/view-update-list-1.png and /dev/null differ diff --git a/intune/device-updates/windows/images/expedite-updates/create-quality-update-profile.png b/intune/device-updates/windows/images/expedite-updates/create-quality-update-profile.png deleted file mode 100644 index f430858bdfc..00000000000 Binary files a/intune/device-updates/windows/images/expedite-updates/create-quality-update-profile.png and /dev/null differ diff --git a/intune/device-updates/windows/images/expedite-updates/device-report.png b/intune/device-updates/windows/images/expedite-updates/device-report.png deleted file mode 100644 index d8e4e9888f7..00000000000 Binary files a/intune/device-updates/windows/images/expedite-updates/device-report.png and /dev/null differ diff --git a/intune/device-updates/windows/images/expedite-updates/select-reboot-time.png b/intune/device-updates/windows/images/expedite-updates/select-reboot-time.png deleted file mode 100644 index d7e2f60daa6..00000000000 Binary files a/intune/device-updates/windows/images/expedite-updates/select-reboot-time.png and /dev/null differ diff --git a/intune/device-updates/windows/images/expedite-updates/select-update.png b/intune/device-updates/windows/images/expedite-updates/select-update.png deleted file mode 100644 index deee3619146..00000000000 Binary files a/intune/device-updates/windows/images/expedite-updates/select-update.png and /dev/null differ diff --git a/intune/device-updates/windows/images/reports/report-driver-updates-failures.png b/intune/device-updates/windows/images/reports/report-driver-updates-failures.png deleted file mode 100644 index f58d7b8364e..00000000000 Binary files a/intune/device-updates/windows/images/reports/report-driver-updates-failures.png and /dev/null differ diff --git a/intune/device-updates/windows/images/reports/whm-scope.png b/intune/device-updates/windows/images/reports/whm-scope.png deleted file mode 100644 index 1b25dde758a..00000000000 Binary files a/intune/device-updates/windows/images/reports/whm-scope.png and /dev/null differ diff --git a/intune/device-updates/windows/images/update-rings/default-policy-view.png b/intune/device-updates/windows/images/update-rings.png similarity index 100% rename from intune/device-updates/windows/images/update-rings/default-policy-view.png rename to intune/device-updates/windows/images/update-rings.png diff --git a/intune/device-updates/windows/images/update-rings/basics-tab.png b/intune/device-updates/windows/images/update-rings/basics-tab.png deleted file mode 100644 index ab99b3c1f08..00000000000 Binary files a/intune/device-updates/windows/images/update-rings/basics-tab.png and /dev/null differ diff --git a/intune/device-updates/windows/images/update-rings/overview-actions.png b/intune/device-updates/windows/images/update-rings/overview-actions.png deleted file mode 100644 index 728665ebdcc..00000000000 Binary files a/intune/device-updates/windows/images/update-rings/overview-actions.png and /dev/null differ diff --git a/intune/device-updates/windows/includes/prerequisites-cloud.md b/intune/device-updates/windows/includes/prerequisites-cloud.md new file mode 100644 index 00000000000..b8b1aad9222 --- /dev/null +++ b/intune/device-updates/windows/includes/prerequisites-cloud.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms-topic: include +ms.date: 01/08/2026 +--- + +:::row::: +:::column span="1"::: +[!INCLUDE [cloud](../../../includes/requirements/cloud.md)] + +:::column-end::: +:::column span="3"::: +> This feature is supported in the following cloud environments: +> - Public cloud +> - Government Community Cloud (GCC) +:::column-end::: +:::row-end::: diff --git a/intune/device-updates/windows/includes/prerequisites-device-configuration.md b/intune/device-updates/windows/includes/prerequisites-device-configuration.md new file mode 100644 index 00000000000..a50f4171fbd --- /dev/null +++ b/intune/device-updates/windows/includes/prerequisites-device-configuration.md @@ -0,0 +1,26 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms-topic: include +ms.date: 01/08/2026 +--- + +:::row::: +:::column span="1"::: +[!INCLUDE [device-configuration](../../../includes/requirements/device-configuration.md)] + +:::column-end::: +:::column span="3"::: +> This policy type supports devices that are: +> +> - Managed by Intune +> - Microsoft Entra joined +> - Microsoft Entra hybrid joined +> +> Devices must also meet the following requirements: +> - Telemetry must be turned on, with a minimum setting of [**Required**](../../../intune-service/configuration/device-restrictions-windows-10.md#reporting-and-telemetry). +> - The *Microsoft Account Sign-In Assistant* service (`wlidsvc`) must be enabled and running. + +:::column-end::: +:::row-end::: + diff --git a/intune/device-updates/windows/includes/prerequisites-licensing.md b/intune/device-updates/windows/includes/prerequisites-licensing.md new file mode 100644 index 00000000000..e8950a750aa --- /dev/null +++ b/intune/device-updates/windows/includes/prerequisites-licensing.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms-topic: include +ms.date: 01/08/2026 +--- + +:::row::: +:::column span="1"::: +[!INCLUDE [platform](../../../includes/requirements/licensing.md)] + +:::column-end::: +:::column span="3"::: +> To use this feature, the following licenses are required: +> - [Microsoft Intune Plan 1](../../../intune-service/fundamentals/licenses.md) +> - A Windows license that includes the [Autopatch entitlement](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#licenses-and-entitlements). +:::column-end::: +:::row-end::: diff --git a/intune/device-updates/windows/includes/prerequisites-network.md b/intune/device-updates/windows/includes/prerequisites-network.md new file mode 100644 index 00000000000..676237246e7 --- /dev/null +++ b/intune/device-updates/windows/includes/prerequisites-network.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms-topic: include +ms.date: 01/08/2026 +--- + +:::row::: +:::column span="1"::: +[!INCLUDE [network-connectivity](../../../includes/requirements/network-connectivity.md)] +:::column-end::: +:::column span="3"::: + +> Devices must have internet access and be able to reach required Microsoft endpoints: +> +> - [Intune service endpoints](../../../intune-service/fundamentals/intune-endpoints.md#access-for-managed-devices) +> - [Windows Update endpoints](/windows/privacy/manage-windows-1809-endpoints#windows-update) +> - [Windows Autopatch endpoints](/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network) + +:::column-end::: +:::row-end::: diff --git a/intune/device-updates/windows/includes/prerequisites-platform.md b/intune/device-updates/windows/includes/prerequisites-platform.md new file mode 100644 index 00000000000..a19a530451e --- /dev/null +++ b/intune/device-updates/windows/includes/prerequisites-platform.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms-topic: include +ms.date: 01/08/2026 +--- + +:::row::: +:::column span="1"::: +[!INCLUDE [platform](../../../includes/requirements/platform.md)] + +:::column-end::: +:::column span="3"::: +> This feature supports the following Windows editions: +> - Pro +> - Pro Education +> - Enterprise +> - Education +> +> > [!NOTE] +> > Windows Enterprise LTSC (Long Term Service Channel) isn't supported. Use update ring policies instead. +:::column-end::: +:::row-end::: diff --git a/intune/device-updates/windows/includes/prerequisites-rbac.md b/intune/device-updates/windows/includes/prerequisites-rbac.md new file mode 100644 index 00000000000..d3b52b56d89 --- /dev/null +++ b/intune/device-updates/windows/includes/prerequisites-rbac.md @@ -0,0 +1,36 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms-topic: include +ms.date: 01/08/2026 +--- + +:::row::: +:::column span="1"::: +[!INCLUDE [rbac](../../../includes/requirements/rbac.md)] + +:::column-end::: +:::column span="3"::: +> To manage this feature, use an account with at least one of the following roles: +> +> - [Policy and Profile manager][INT-R1] +> - [Custom role][INT-RC] that includes: +> - The **Device configurations** permissions **Assign**,**Create**,**Delete**,**View Reports**,**Update**, and **Read** +> - Permissions that provide visibility into and access to managed devices in Intune (for example, Organization/Read, Managed devices/Read) +> +> To view the reports for this feature, use an account with at least one of the following roles: +> +> - [Endpoint Security Manager][INT-R2] +> - [Read Only Operator][INT-R3] +> - [Help Desk Operator][INT-R4] +> - [Custom role][INT-RC] with the **Managed devices**/**View Reports** permission. +:::column-end::: +:::row-end::: + + + +[INT-R1]: /intune/intune-service/fundamentals/role-based-access-control-reference#policy-and-profile-manager +[INT-R2]: /intune/intune-service/fundamentals/role-based-access-control-reference#endpoint-security-manager +[INT-R3]: /intune/intune-service/fundamentals/role-based-access-control-reference#read-only-operator +[INT-R4]: /intune/intune-service/fundamentals/role-based-access-control-reference#help-desk-operator +[INT-RC]: /intune/intune-service/fundamentals/create-custom-role \ No newline at end of file diff --git a/intune/device-updates/windows/includes/prerequisites-tenant.md b/intune/device-updates/windows/includes/prerequisites-tenant.md new file mode 100644 index 00000000000..bc4a3e1dcd7 --- /dev/null +++ b/intune/device-updates/windows/includes/prerequisites-tenant.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms-topic: include +ms.date: 01/14/2026 +--- + +:::row::: +:::column span="1"::: +[!INCLUDE [tenant-configuration](../../../includes/requirements/tenant-configuration.md)] + +:::column-end::: +:::column span="3"::: +> To enable reporting for this feature, ensure your organization allows Intune to access Windows diagnostic data collected from enrolled devices. +> +> For details, see [Enable use of Windows diagnostic data by Intune](../../../intune-service/protect/data-enable-windows-data.md). +:::column-end::: +:::row-end::: diff --git a/intune/device-updates/windows/index.md b/intune/device-updates/windows/index.md new file mode 100644 index 00000000000..6014b704690 --- /dev/null +++ b/intune/device-updates/windows/index.md @@ -0,0 +1,136 @@ +--- +title: Windows Update Management Overview +description: Learn how to manage Windows updates with Intune. Control update settings, define rollout strategies, and ensure consistent device security across your organization. +ms.date: 01/14/2026 +ms.topic: overview +--- + +# Windows update management overview + +Keeping Windows devices secure and up to date is one of the most important responsibilities for any organization. Microsoft Intune provides a **cloud-based approach to Windows update management**, giving you control, predictability, and minimal disruption for users. + +This overview explains how Intune manages Windows updates, the policy types available, and how these pieces fit together into a complete update strategy. + +## What you can do with Intune + +- Configure update settings on devices without managing individual patches. +- Define update rings to control rollout timing and reduce risk. +- Prevent devices from installing new feature versions until you're ready, while still applying security and quality updates. + +Intune stores only the policy assignments, not the updates themselves. When you save a policy, Intune sends configuration details to Windows Update, which determines which updates to offer. Devices download updates directly from Windows Update. + +## Windows update management capabilities + +The following policy types help you manage Windows updates in Intune: + +:::row::: +:::column::: + +#### Windows Update client policy + +>**:::image type="icon" source="icons/client-policy.svg" border="false":::** +> +> Configures the underlying [Update policy CSP](/windows/client-management/mdm/policy-csp-update). Intune surfaces these settings through update rings and the Settings Catalog, giving administrators flexibility to apply granular update behaviors at the device level. +> +>> [!div class="nextstepaction"] +>> [Learn more](/windows/deployment/update/waas-configure-wufb) + +:::column-end::: +:::column::: +#### Update ring policy + +>**:::image type="icon" source="icons/update-ring.svg" border="false":::** +> +> Applies Windows Update client policies to groups of devices. Update rings control deferral periods, deadlines, restart behavior, and user experience settings, enabling phased rollout across your environment. +> +>> [!div class="nextstepaction"] +>> [Learn more](update-rings.md) +:::column-end::: +:::row-end::: + +:::row::: +:::column::: +#### Feature update policy + +>**:::image type="icon" source="icons/feature-update.svg" border="false":::** +> +> Locks devices to a specific Windows version (for example, Windows 11 24H2). These policies prevent devices from upgrading beyond the targeted release, ensuring consistency and control over major OS upgrades. +> +>> [!div class="nextstepaction"] +>> [Learn more](feature-updates.md) +:::column-end::: + +:::column::: +#### Quality update policy + +>**:::image type="icon" source="icons/quality-update.svg" border="false":::** +> +>Delivers monthly cumulative updates for security and reliability. Supports: +> - **Hotpatch**: Apply eligible security patches without a reboot to reduce downtime. +> - **Expedite policies**: Push critical security updates immediately by overriding deferral settings. +> +>> [!div class="nextstepaction"] +>> [Learn more](quality-updates.md) +:::column-end::: +:::row-end::: + +:::row::: +:::column::: +#### Driver update policy + +**:::image type="icon" source="icons/driver-update.svg" border="false":::** + +> Manages the delivery of hardware driver updates from Windows Update. Driver update policies help ensure device compatibility and stability by controlling when and how drivers are installed. +> +>> [!div class="nextstepaction"] +>> [Learn more](feature-updates.md) +:::column-end::: +:::column::: +:::column-end::: +:::row-end::: + +## Windows Autopatch + +Windows Autopatch is a managed cloud service integrated with Microsoft Intune that helps keep Windows devices up to date and protected. + +Autopatch uses feature update policies, quality update policies, and driver update policies as its policy surface. These policy types are built on the same cloud orchestration service that powers Windows Autopatch and are also available in Intune for admins who want to manage updates without enrolling devices in Autopatch. + +Autopatch adds service-managed capabilities such as dynamic device grouping, phased rollouts, health monitoring, and reporting. For eligible Windows editions, it also enables cloud-powered update scenarios like hotpatch and expedited updates with minimal manual configuration. + +Update ring policies are used in Intune to configure Windows Update behavior such as deferrals, deadlines, and restart settings. For Autopatch‑enrolled devices, update rings may be created and managed by the service to implement rollout cadence. + +The following table compares how update management differs when you use Autopatch and manual Intune configuration: + +| **Feature** | **When NOT using Autopatch** | **When using Autopatch** | +|--|--|--| +| **Update coordination** | You control scheduling, deferrals, and rollout manually using Intune policies. | Autopatch orchestrates updates using service-managed policies and rollout logic. | +| **Update ring policy** | You configure update ring policies in Intune to control deferrals, deadlines, and restart behavior. | Autopatch may create and manage update ring policies to control rollout cadence and restart behavior. Admins shouldn't assign custom update ring policies to Autopatch-managed devices. | +| **Feature update policy** | You use feature update policies to lock or schedule OS versions. | Autopatch manages version targeting and rollout automatically. | +| **Quality update policy** | You configure quality update policies, expedited updates, and hotpatch settings manually. | Autopatch manages monthly patches, expedites critical updates, and applies hotpatch automatically for eligible devices. | +| **Driver update policy** | You use driver update policies to review and approve drivers manually. | Autopatch manages driver approvals and scheduling automatically. | + + +> [!div class="nextstepaction"] +> [Learn more about Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) + +## Prerequisites + +Each policy type has specific prerequisites, detailed in their respective documentation. In general: + +- Devices must be enrolled in Intune. +- Devices must be Microsoft Entra joined or hybrid joined. + > Microsoft Entra registered devices aren't supported for any policy type that uses the same backend service as Windows Autopatch—including Feature updates, Quality updates, and Driver updates.\ + > For Entra registered devices, update management remains limited to Windows Update client policies and update ring policies. +- Devices must have access to Microsoft update endpoints. + +Feature update policies, quality update policies, and driver update policies use the same cloud orchestration layer as Windows Autopatch. Autopatch automates these policies, but when you configure them manually in Intune, you're still calling the same backend service—so the requirements don't change. Because they share this service, the prerequisites are the same across these three policy types: + +- **Licensing**: A Windows license that includes the [Autopatch entitlement](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#licenses-and-entitlements). + + > If you're blocked when creating new policies for capabilities that require Windows Autopatch and you get your licenses to use Windows Update client policies through an Enterprise Agreement (EA), contact the source of your licenses such as your Microsoft account team or the partner who sold you the licenses. The account team or partner can confirm that your tenants' licenses meet the Windows Autopatch license requirements. See [Enable subscription activation with an existing EA](/windows/deployment/deploy-enterprise-licenses#enable-subscription-activation-with-an-existing-ea). + > + > > [!IMPORTANT] + > > [Enable subscription activation with an existing EA](/windows/deployment/deploy-enterprise-licenses#enable-subscription-activation-with-an-existing-ea) isn't applicable to GCC and GCC High/DoD cloud environments for Windows Autopatch capabilities. +- **Telemetry**: Diagnostic data set to *Required* level. +- **Services**: Microsoft Account Sign-In Assistant enabled. + > If the service is blocked or set to *Disabled*, it fails to receive the update. For more information, see [Feature updates aren't being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). By default, the service is set to *Manual (Trigger Start)*, which allows it to run when needed. diff --git a/intune/device-updates/windows/quality-updates-policy.md b/intune/device-updates/windows/quality-updates-policy.md deleted file mode 100644 index 8e2ed4d3ae0..00000000000 --- a/intune/device-updates/windows/quality-updates-policy.md +++ /dev/null @@ -1,151 +0,0 @@ ---- -title: Windows quality update policy -description: Use Hotpatch updates to receive security updates without restarting your device -ms.date: 04/17/2025 -ms.reviewer: Mounika -ms.topic: how-to -ms.collection: ---- - -# Windows quality update policy - -Windows policy updates policy allows you to deploy Hotpatch updates. Hotpatch updates are designed to reduce downtime and disruptions. Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that install and take effect without requiring you to restart the device. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted. - -Hotpatch is an extension of Windows Update and requires Autopatch to create and deploy hotpatches to devices enrolled in the Autopatch quality update policy. - -## Key benefits - -- Hotpatch updates streamline the installation process and enhance compliance efficiency. -- No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies. -- The [Hotpatch quality update report](/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. - -## Prerequisites - -To benefit from Hotpatch updates, devices must meet the following prerequisites: - -- For licensing requirements, see [Prerequisites](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites) -- Windows 11 Enterprise version 24H2 or later -- Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true). -- Microsoft Intune to manage hotpatch update deployment with the [Windows quality update policy with hotpatch turned on](#enroll-devices-to-receive-hotpatch-updates). - -## Operating system configuration prerequisites - -To prepare a device to receive Hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the Hotpatch update and to apply all Hotpatch updates. - -### Virtualization based security (VBS) - -VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect if VBS is enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). - -> [!NOTE] -> Devices might be temporarily ineligible because they don't have VBS enabled or aren't currently on the latest baseline release. To ensure that all your Windows devices are configured properly to be eligible for hotpatch updates, see [Troubleshoot hotpatch updates](/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates). - -### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) - -> [!IMPORTANT] -> **Arm 64 device support is in public preview**. - -To ensure all the Hotpatch updates are applied, you must set the **Compiled Hybrid Portable Executable** (CHPE) disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. - -This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries. - -To disable CHPE, create and/or set the following DWORD registry key: - -Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management DWORD key value: HotPatchRestrictions=1` - -To learn more about CHPE, see [here](/windows/win32/winprog64/wow64-implementation-details) - -> [!NOTE] -> There are no plans to support hotpatch updates on Arm64 devices with CHPE enabled. Disabling CHPE is required only for Arm64 devices. AMD and Intel CPUs don't have CHPE. - -If you choose to no longer use Hotpatch updates, clear the CHPE disable flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. - -## Ineligible devices - -Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases. - -LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant. - -> [!NOTE] -> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings. - -## Release cycles - -For more information about the release calendar for hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1). - -- Baseline: Includes the latest security fixes, cumulative new features, and enhancements. Restart required. -- Hotpatch: Includes security updates. No restarted required. - -| Quarter | Baseline updates (requires restart) | Hotpatch (no restart required) | -| ----- | ----- | ----- | -| 1 | January | February and March | -| 2 | April | May and June | -| 3 | July | August and September | -| 4 | October | November and December | - -## Hotpatch on Windows 11 Enterprise or Windows Server 2025 - -> [!NOTE] -> Hotpatch is also available on Windows Server and Windows 365. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition). - -Hotpatch updates are similar between Windows 11 and Windows Server 2025. - -- Windows Autopatch manages Windows 11 updates -- Azure Update Manager and optional Azure Arc subscription for Windows 2025 Datacenter/Standard Editions (on-premises) manages Windows Server 2025 Datacenter Azure Edition. For more information, on Windows Server and Windows 365, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition). - -The calendar dates, eight hotpatch months, and four baseline months, planned each year are the same for all the hotpatch-supported operating systems (OS). It's possible for additional baseline months for one OS (for example, Windows Server 2022), while there are hotpatch months for another OS, such as Server 2025 or Windows 11, version 24H2. Review the release notes from [Windows release health](/windows/release-health/) to keep up to date. - -## Enroll devices to receive Hotpatch updates - -> [!NOTE] -> If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it. Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group. - -**To enroll devices to receive Hotpatch updates:** - -1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** from the left navigation menu. -1. Under the **Manage updates** section, select **Windows updates**. -1. Go to the **Quality updates** tab. -1. Select **Create**, and select **Windows quality update policy**. -1. Under the **Basics** section, enter a name for your new policy and select Next. -1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**. -1. Select the appropriate Scope tags or leave as Default. Then, select **Next**. -1. Assign the devices to the policy and select **Next**. -1. Review the policy and select **Create**. - -These steps ensure that targeted devices, which are [eligible](#prerequisites) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU). - -> [!NOTE] -> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply. - -## Roll back a hotpatch update - -Automatic rollback of a Hotpatch update isn't supported but you can uninstall them. If you experience an unexpected issue with hotpatch updates, you can investigate by uninstalling the hotpatch update and installing the latest standard cumulative update (LCU) and restart. Uninstalling a hotpatch update is quick, however, it does require a device restart. - -## Monitoring and reporting - -After a Windows quality updates policy has been created with Hotpatch updates enabled, you can monitor results, hotpatch deployment status, and errors from the reports. - -### Hotpatch quality updates - -This report shows the total targeted devices and current update states of all Hotpatch update enabled devices. - -1. Sign in to the Microsoft [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -2. Select **Reports > Windows quality updates** under **Windows Autopatch** section. - -3. On the **Reports** tab, select **Hotpatch quality updates report**. - -## Windows quality update distribution - -This report shows the device distribution for different quality update releases. For Hotpatch applicable **Updates**, you can see both Hotpatch and standard quality update build numbers are displayed. Note that Hotpatch builds are lower numbered due to the inclusion of subset of fixes compared to standard builds. You can select **Devices on this update** column for each release to see a detailed list of devices and their corresponding updates. - -To go to the device, - -1. Sign in to the Microsoft [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -2. Select Reports > Windows updates. - -3. On the Reports tab, click on Windows quality update distribution report. - -Select **Update type** to select the quality update release. The **Build number** column on the Windows quality update distribution per feature version report shows you the Hotpatch and Standard builds. - diff --git a/intune/device-updates/windows/quality-updates-reports.md b/intune/device-updates/windows/quality-updates-reports.md new file mode 100644 index 00000000000..7fc36a110fe --- /dev/null +++ b/intune/device-updates/windows/quality-updates-reports.md @@ -0,0 +1,108 @@ +--- +title: Reports for Windows Quality Update Policies +description: Learn about the reports available for Windows quality update policies in Microsoft Intune. +ms.date: 01/14/2026 +ms.topic: how-to +ms.reviewer: zadvor +--- + +# Windows update distribution report + +The Windows update distribution report in Intune provide a summarized report to show the number of devices that are on each quality update level and the percentage coverage for each update across devices managed by Intune (including co-managed devices). + +The report provides a drill down for each quality update that aggregates devices based on Windows feature version and the update statuses. The admins can get the list of devices that aggregate to the numbers shown in the previous two reports, which they can export and use for troubleshooting and analysis. + +The report includes Intune managed and co-managed devices, and is based on the OS version updated at every device check-in. The report can slice the data based on device scope tags. + +>[!NOTE] +> The Windows update distribution report can be used if you are using Update Rings, or not using any update policies in Intune. + +The Windows update distribution report comprises distinct organizational reports that function sequentially to provide insights on devices and their corresponding Windows update versions. To access this feature, navigate to **Reports** > **Windows Updates** > **Reports tab** > **Windows Update Distribution Report**. + +The Windows update distribution report includes three nested reports: + +- Windows quality update distribution report +- Windows quality update distribution per feature version report +- Windows quality update device version report + +Select a tab to learn more about each report. + +# [**QU distribution**](#tab/distribution) + +The report displays the distribution of devices against different quality updates for the selected scope. It shows the counts of devices corresponding to the displayed quality updates.\ +Select one or more scope tags from the drop-down list to generate the report. The drop-down list shows all the scope tags the user has access to, based on the user's assigned scope tags. + +:::image type="content" source="./images/reports/windows-quality-updates-page1.png" alt-text="Screen capture of the Windows quality update distribution report." lightbox="./images/reports/windows-quality-updates-page1.png"::: + +The report shows the number of devices under each QU level corresponding to the current month and the last 3 months from the day of reporting. The top rows typically represent the last three months, followed by other device data distributions. + +**Column details**: + +- **Update**: Monthly quality update version. The update format corresponds to YYYY-MM-UpdateType. For example, 2024-02-B. + - **Older releases**: All windows devices running valid feature version (non-preview/insider) and running older than 3 months of quality update level are combined into a single entity shown as *Older releases*. + - **Windows insider or other releases**: All those devices whose OS version does not align with the Windows generally available feature release version and not on documented QU level, are combined under *Windows insider or other releases*. +- **Update Type**: Monthly quality update type. For more information, go to [Windows monthly update explained](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-monthly-updates-explained/ba-p/3773544) + - B: Security Updates (released on patch Tuesday) + - D: Non-Security Updates (released on 4th week of month) + - OOB: Out of band updates +- **Release Date**: Release date of the monthly quality update. +- **Devices on this update**: Number of devices where the target quality update is installed. +- **% of all devices**: Number of devices running a particular quality update represented in percentage of total managed devices in Intune. + +All QUs from this page are hyperlinked: +- When you select one of the current or last 3 months quality update (B, D or OOB), the *Windows quality update distribution per feature version* report is displayed. +- When you select **Older releases**, the *Windows quality update device version* report is displayed with a list of devices that are on an older quality update level excluding insider builds and unknown builds. +- When you select **Windows insider or other releases**, the *Windows quality update device version* report is displayed with a list of devices whose feature version is insider release, or the quality update of the device cannot be mapped to documented quality update version in Windows release information. + +# [**QU distribution per feature version**](#tab/feature-version) + +The report provides the distribution of devices against Windows feature releases. The distribution of devices that are eligible to receive the selected quality update shown based on the Windows feature versions that are generally available. The report aids IT administrators in making informed decisions for devices and managing devices that need attention. + +:::image type="content" source="./images/reports/windows-quality-updates-page2.png" alt-text="Screen capture of the Windows quality update distribution per feature version." lightbox="./images/reports/windows-quality-updates-page2.png"::: + +The stacked chart displays the counts of devices that are up to date, those that need updates, and those for which the chosen quality update does not apply. Together, these counts make up the total Windows devices that Intune manages, including co-managed devices. + +The table lists each supported feature version that the selected quality update affects. + +Select **Columns** at the top of the table to toggle the visibility of columns, including the **Devices on this update** column, which is hidden by default. You can sort the data by the **Windows version** and **Build number** columns. + +**Column details**: + +- **Windows version**: Shows the Windows feature version. +- **Total devices**: Total managed devices corresponding to the Windows feature version. +- **Build Number**: Build number of the windows feature version. Devices running supported Windows feature versions that the selected quality update does not cover are marked as **Not applicable**. Devices running unsupported Windows feature versions, insider versions, or those with an unknown OS version, are grouped under one line item and marked as **Not applicable**. +- **Devices on this update or later**: Number of devices where the target quality update or later is installed. +- **Devices on this update**: Number of devices where the target quality update is installed. +- **Devices need update**: Number of devices that are applicable for the update but do not currently have it installed. +KB article: External link to target quality update's KB Article for the corresponding Windows feature version. + +When you select any device count, the *Windows quality update device version* report is displayed. + +# [**QU device version**](#tab/device-version) + +The report presents a list of devices based on the selections from the previous 2 reports. The criteria that you selected in the previous reports are displayed at the top of the page.\ +The report offers sortable columns and search options, along with an export feature allowing high volume data to be downloaded in CSV format. + +:::image type="content" source="./images/reports/windows-quality-updates-page3.png" alt-text="Screen capture of the Windows quality update device version." lightbox="./images/reports/windows-quality-updates-page3.png"::: + +**Column details**: + +- **Device Name**: The name of the device. +- **Intune Device Id**: Intune device identifier. +- **Entra Device Id**: Microsoft Entra identifier for device. +- **Primary UPN**: Intune user identifier (email). +- **OS version**: Operating System (OS) version build number. The OS version corresponds to the Windows feature Version (For example, Windows 11 24H2) and the quality Update level (For example, 2024-08 B). +- **Windows feature version**: Windows feature version. +- **Windows quality version**: Windows quality update. +- **Managed by**: Management agent. +- **Last check-in**: Device last check-in date time + +The search bar enables the search for a specific device or UPN. Select a device from the list to view the device's details. + +--- + +All these reports are cached, and have an expiry time of three days, after which you must generate a new report. Select **Generate Again** to get fresh data. + + + +[INT-AC]: https://go.microsoft.com/fwlink/?linkid=2109431 diff --git a/intune/device-updates/windows/quality-updates.md b/intune/device-updates/windows/quality-updates.md new file mode 100644 index 00000000000..632d4232ba7 --- /dev/null +++ b/intune/device-updates/windows/quality-updates.md @@ -0,0 +1,56 @@ +--- +title: Manage Windows quality updates +description: Learn how to manage Windows quality updates in Microsoft Intune using quality update policies, expedited updates, and hotpatch to keep devices secure and compliant. +ms.date: 01/06/2026 +ms.reviewer: mobattul +ms.topic: how-to +--- + +# Manage Windows quality updates + +Windows quality updates are the regular Windows servicing updates that keep devices secure, reliable, and supported. These updates are released frequently—typically monthly—and include security fixes, non‑security improvements, and reliability enhancements. Because quality updates are cumulative, installing the latest update brings a device fully up to date for its currently installed Windows version. + +In Microsoft Intune, you manage Windows quality updates through **quality update policies**. These policies provide a dedicated policy surface for targeting specific quality updates, and use cloud‑based update orchestration to deploy those updates to devices. Quality update policies work alongside other Windows update policies—such as **feature updates policies** and **driver updates policies**—and can be managed directly in Intune or automatically through **Windows Autopatch**, depending on your deployment model. + +Quality update policies support targeted deployment scenarios for Windows quality updates. You can use them to **expedite updates** and accelerate the installation of critical or security updates when standard deployment timelines aren't acceptable. For eligible Windows editions and device configurations, you can also enable **hotpatch**, which installs certain security updates without requiring an immediate device restart—helping balance rapid protection, deployment control, and end‑user experience. + +Client‑side update behavior—such as restart settings, deadlines, notifications, and deferral periods—continues to be configured through **update rings** and **Windows Update client policies**, which together with quality update policies complete the end‑to‑end update experience on devices. + +## Prerequisites + +[!INCLUDE [prerequisites-network](includes/prerequisites-network.md)] +[!INCLUDE [prerequisites-cloud](includes/prerequisites-cloud.md)] +[!INCLUDE [prerequisites-tenant](includes/prerequisites-tenant.md)] +[!INCLUDE [prerequisites-licensing](includes/prerequisites-licensing.md)] +[!INCLUDE [prerequisites-platform](includes/prerequisites-platform.md)] +[!INCLUDE [prerequisites-device-configuration](includes/prerequisites-device-configuration.md)] +[!INCLUDE [prerequisites-rbac](includes/prerequisites-rbac.md)] + +## How quality update policies support different deployment scenarios + +Quality update policies provide a single management surface for deploying Windows quality updates across different operational scenarios: + +- **Standard deployment**: Use quality update policies to enable cloud‑based orchestration of regular monthly quality updates, while update rings and Windows Update client settings continue to control restarts, deadlines, and notifications. +- **Expedited deployment**: Use expedite policies to accelerate the installation of a specific security or critical update when faster remediation is required. +- **Restart‑optimized deployments**: On supported devices, enable hotpatch through quality update policies to apply qualifying security updates without requiring an immediate device restart. + +These scenarios use cloud‑based update orchestration to control how updates are approved, timed, and applied, depending on the deployment model. + +### Do I need a Windows quality update policy? + +You don't need to create a Windows quality update policy for devices to continue receiving monthly Windows quality updates. Devices without a quality update policy continue to receive quality updates through standard Windows Update behavior, using update rings and Windows Update client policies to control deferrals, deadlines, restarts, and notifications. + +Create a Windows quality update policy if you want to: +- Enable **cloud‑based orchestration** of Windows quality updates +- Use **Windows Autopatch-managed quality update deployments** +- Enable **hotpatch** for eligible devices +- View **policy‑based quality update reporting** + +If you only need to **accelerate the installation of a specific quality update** for a limited set of devices, you can use an **expedite policy** without creating a quality update policy. + +In most environments, you create a Windows quality update policy only when you need advanced deployment scenarios such as hotpatch or Windows Autopatch-managed update workflows. + +## Next steps + +- [Learn how hotpatch works with quality update policies](hotpatch.md) +- [Learn how expedite policies work with quality update policies](quality-updates.md) diff --git a/intune/device-updates/windows/reports.md b/intune/device-updates/windows/reports.md deleted file mode 100644 index dfb1fb8a824..00000000000 --- a/intune/device-updates/windows/reports.md +++ /dev/null @@ -1,544 +0,0 @@ ---- -title: Use Windows Update for Business reports for Windows Updates in Microsoft Intune -description: Use Windows Update for Business reports to view data for Windows Updates you deploy with Intune. -ms.date: 03/04/2025 -ms.topic: how-to -ms.reviewer: zadvor -#ms.custom: -ms.collection: -- M365-identity-device-management -- highseo -- sub-updates ---- - -# Windows Update reports for Microsoft Intune - -With Intune, you can deploy updates to Windows 10/11 devices by using policies for: - -- [Update rings for Windows](update-rings.md) -- [Feature updates for Windows](feature-updates.md) -- [Windows Driver updates for Windows](driver-updates-overview.md) - -Reports for these policy types are available to help you monitor and troubleshoot update deployments. To support reporting, you must configure [Data collection settings](#configuring-for-client-data-reporting). - -Intune supports the following report options: - -- **Reports in Intune**: - - **Windows 10 update rings**: Use a [built-in report](#reports-for-update-rings-for-windows-10-and-later-policy) that's ready by default when you deploy update rings to your devices. - - **Windows 10 feature updates**: Use [two built-in reports](#reports-for-windows-10-and-later-feature-updates-policy) that work together to gain a deep picture of update status and issues. These reports require you to configure data collection from devices before the reports can display data about feature updates. - - **Windows Driver updates**: Use the [built-in reports](#reports-for-windows-driver-updates-policy) to understand which driver updates are applicable to your devices and which of those updates have been approved, installed, or paused. - - **Windows update distribution**: Use the [three built-in reports](#windows-update-distribution-report) to understand the number of devices that are on each quality update level and the percentage coverage for each update across devices managed by Intune (including co-managed devices). The three distinct organizational reports function sequentially to provide insights on devices and their corresponding Windows update versions. - -- **Windows Update for Business reports**: - - [Use Windows Update for Business reports with Intune](#use-windows-update-for-business-reports) to monitor Windows update rollouts. Windows Update for Business reports is a free service built on Azure Monitor and Log Analytics. - -For more information, see [Monitor Windows Updates with Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) in the Windows documentation. - -## Configuring for client data reporting - -This method of configuring data collection using Windows diagnostic data in Intune is shared across all the reports, including drivers, feature updates, and expedite updates. - -To support reporting, you must configure the following data collection settings: - -- Enable [Windows diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) collection from devices at a level of [*Required*](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) or higher. -- At the Tenant level, set [Enable features that require Windows diagnostic data in processor configuration](../../intune-service/protect/data-enable-windows-data.md#windows-data) to **On**. This setting can be configured in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) at **Tenant administration** > **Connectors and tokens** > **Windows data**. - ->[!NOTE] -> The [Windows update distribution reports](#windows-update-distribution-report) don't require any additional configuration for client data reporting. - -## Reports for Update rings for Windows 10 and later policy - -Intune offers integrated report views for the Windows update ring policies you deploy. These views display details about the update ring deployment and status. To access reports, in the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) go to **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows 10 and later updates** > **Update rings** tab > and select an update ring policy. Intune displays details similar to the following for the selected policy: - -:::image type="content" source="./images/update-rings/default-policy-view.png" alt-text="Screen capture of the default view for Update rings policy." lightbox="./images/update-rings/default-policy-view.png"::: - -> [!TIP] -> -> For details about the policy actions at the top of the policy view, like *Delete*, *Pause*, and *Extend*, see [Manage your Windows Update rings](update-rings.md#manage-your-windows-update-rings) in the *Update rings for Windows 10 and later policy in Intune* article. - -On the policy page view: - -- **Device and user check-in status**: The default report view for this policy. This default view includes a high-level bar chart that displays a count of devices reporting four status values for this policy, and a color bar that visually represents the percentage of devices reporting each status by color. This view displays the following four status results for the policy: - - Succeeded - - Error - - Conflict - - Not applicable - -- **View report**: This button opens a more detailed report view for *Device and user check-in status*. The detailed report view includes a chart and color bar similar to that from the preceding high-level view, but reports one the additional status of **In progress**. - - This view also includes device specific details that include: - - Device name - - Logged in user - - Check-in status - - Last report modification time - - :::image type="content" source="./images/reports/report-view-details.png" alt-text="Screen capture that shows details available from the View report action."::: - - From this report view, you can select a device to drill in to view the list of the settings in the policy, and the status of the selected device for each of those settings. Additional drill-in is available by selecting a setting to open the *Setting details*. The *Setting details* display the name of the setting, the devices status (State) for that setting, and a list of profiles that manage the setting and that are assigned to the device. This is useful to help identify the source of a settings conflict. - -- **Two additional report tiles**: You can select the tiles for the following reports to view additional details: - - - **Device assignment status**: This report shows all the devices that are targeted by the policy, including devices in a pending policy assignment state. - - For this report, you can select one or more status details you are interested in, and then select *Generate report* to update the view with only that information. In this following image, we have generated a report that displays only the devices that were successfully assigned this policy: - - :::image type="content" source="./images/reports/successful-assignment-view.png" alt-text="Image of the results of the Assignment status report."::: - - This report supports drilling in to view the list of settings, with subsequent drill-in as seen in for the full report view available from the *View report* button. - - - **Per setting status**: View the configuration status of each setting for this policy across all devices and users. This view present a simple view of each setting in the policy, and the count of assigned devices that have success, error, or conflict. This report view doesn't support drilling in for additional detail. - -## Reports for Windows 10 and later feature updates policy - -Intune offers integrated reports to view detailed Windows update deployment status for devices using Feature updates for Windows 10 and later policies. To use reports for this feature, you must first configure prerequisites and policies that support data collection from devices. - -The data in the Intune reports for Feature updates for Windows 10 and later policy is used only for these reports and doesn't surface in other Intune reports. - -- [Windows 10 feature updates (Organizational)](#use-the-windows-10-feature-updates-organizational-report): This report provides an overall view of compliance for devices on a per-policy basis. - -- [Feature update failures report (Operational)](#use-the-feature-update-failures-operational-report): This report provides details on Alerts – errors, warnings, information, and recommendations – on a per-policy basis to help troubleshoot and optimize your devices. - -Before you can use the feature updates policy reports, you must configure prerequisites for the report. - -### Prerequisites - -- **Data collection**: - - Before a device can send the reporting data that's used in the Windows 10 feature updates report for Intune, you must [Configure data collection](#configuring-for-client-data-reporting): - - - Service-based data is collected for all feature update versions and doesn't require you to configure data collection. - - Client-based data is collected from devices only after data collection is configured. - - Service and client-based data is described in [Use the Windows 10 feature updates (Organizational) report](#use-the-windows-10-feature-updates-organizational-report) later in this article. - -- **Devices**: - - Devices must: - - - Meet the [prerequisites for Windows 10 and later feature updates policy](feature-updates.md#prerequisites) as documented in **Feature updates for Windows 10 and later policy in Intune**. - - Be Microsoft Entra joined, or Microsoft Entra hybrid joined to support submitting of data for reporting. - -### About reporting data latency - -The data for these reports is generated at different times, which depend on the type of data: - -- **Service-based data from Windows Update** – This data typically arrives in less than an hour after an event happens in the service. Events include Alerts for a device that can't register with Windows Update (which is viewable in the *Feature update failures report*), to status updates about when Windows Update began offering an update to clients. This data is available without configuring data collection. - -- **Client-based data from Intune devices that are configured to send data to Intune** – This data is processed in batches and refreshes every eight hours, but is only available after you [configure data collection](#configuring-for-client-data-reporting). The data contains information like when a client doesn't have enough disk space to install an update. This data is also used in the Windows 10 feature updates organizational report to show the various installation steps a device moves through when installing feature updates. - -### Use the Windows 10 feature updates (Organizational) report - -The **Windows 10 feature updates** report provides an overview of compliance for devices you target with a [Windows feature updates](feature-updates.md) policy. - -> [!IMPORTANT] -> Before this report can show data, you must [configure data collection](#configuring-for-client-data-reporting) for the Windows feature updates reports. - -This report provides you update installation status that's based on the update state from device and device-specific update details. The data in this report is timely, calls out the device name and state, and other update-related details. This report also supports filtering, searching, paging, and sorting. - -To use the report: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -2. To view a summary report across all Windows 10 and later feature updates policies: - - - In the admin center, go to **Reports** > **Windows updates**. The default view displays the **Summary** tab: - > [!div class="mx-imgBorder"] - > ![Enable data collection for Intune](./images/reports/windows-updates-summary.png) - -3. To open the **Windows 10 feature updates** report and view device details for a specific feature updates profile: - - - In the admin center, go to **Reports** > **Windows updates** > select the **Reports** tab > select **Windows Feature Update Report**. - - - Select on **Select a feature update profile**, select a profile, and then **Generate report**. - - - Select **Update status** and **Ownership** to refine the report. - > [!div class="mx-imgBorder"] - > ![Review ownership](./images/reports/windows-feature-updates-by-policy.png) - - The following list identifies the columns that are available in the view: - - **Devices** – The name of the device. - - **UPN** – Intune user identifier (email). - - **Intune Device ID** – Intune device identifier. - - **Microsoft Entra Device ID** – Microsoft Entra identifier for device. - - **Last Event Time** – The last time there was new data, or something happened for the device and update. - - **Update State** – The state of the update for the device. Initial state data is from the service-side, which is the status of the update in the system before it begins to install on the device. When client-side data is available, client-side data is shown, replacing the server-side data. - - **Update Substate** – A low-level detailed version of the Update State. - - **Update Aggregated Status** – A high-level summary of the Update State, like *In progress* or *Error*. - - **Alert Type** – When applicable, Alert Type displays the most recent alert message. - - **Alert Details** – *This column isn't in use.* - - **Last Scan Time** – The last time this device ran a scan for Windows Update. - - **Target Version** – This column is useful in policy reports as it shows the friendly name of the update being targeted on the device. This field can be particularly useful when the [win10 sxs] checkbox is selected to identify when and which devices were determined to be ineligible for the update and are now being targeted with the Win10 update. - - The following information applies to **Update State** and **Update Substate**: - - - **Service-side data**: - - **Pending**: - - **Validation** – The update can't be offered to the device because of a validation issue with the device and Windows Update. - - **Scheduled** – The update isn't ready to be offered to the device but is scheduled for offering at a later date. - - **On hold**: - - **Admin paused** – The update is on hold because the Deployment being paused by an explicit Administrator action. - - **ServicePaused** – The update is on hold because of an automatic action by Windows Update. - - **Canceled**: - - **Admin Cancelled** – The update offer was canceled by explicit Administrator action. - - **Service Cancelled** – The update was canceled by Windows Update for one of the following reasons: - - The *end of service* for the selected content was reached and it's no longer offered by Windows Update. For example, the device might have been added to a deployment after the content's availability expired, or the content reached its end of service date before it could install on the device. - - The deployment content has been superseded for the device. This can happen when the device is targeted by another deployment that deploys newer content. For example, one deployment targets the Windows 10 device to install version 2004 and a second deployment targets that same device with version 21H1. In this event, 2004 is superseded by the 21H1 deployment and Windows Update cancels the 2004 deployment to the device. - - **Removed from Deployment** – The update offer was canceled because it was removed from the Deployment by explicit Administrator action. - - **Not Supported** - The update was canceled by Windows Update as the device cannot be found in Azure Entra and is an invalid device. This can happen if the device is not Azure Entra joined or does not have a valid Device ID, Global Device ID. - - **Offering**: - - **OfferReady** – The update is currently being offered to the device by Windows Update. - - - **Client-side data**: - - **On Hold**: - - **Deferred** – Windows Update client policies are causing the device to defer the update being offered. - - **Offering**: - - **Offer Received** – The device scanned against Windows Update (WU) and identifies that the update is applicable but hasn't begun to download it. - - **Installing**: - - **Download Start** – The download process has begun. - - **Download Complete** – The download process has completed. - - **Install Start** – The pre-restart install process has started. - - **Install Complete** – The pre-restart install process has finished. If the update doesn't require a restart, the update process ends here. - - **Restart Required** – A restart is required to finish update. - - **Restart Initiated** – The device has gone into restart. - - **Restart Complete** – The device has come back from restart. - - **Installed**: - - **Update Installed** – The update successfully installed. - - **Uninstalling**: - - **Uninstall** – The device is actively uninstalling the update. - - **Rollback** – A rollback has been initiated to a previous update because of a serious issue during installation. - - **Update Uninstalled** – The update successfully uninstalled. - - **Rollback complete** – A rollback has completed. - - **Cancelled**: - - **User Cancelled** – A user canceled the update. - - **Device Cancelled** – The device canceled the update for a user. This action is usually because the update no longer applies. - - - **Other**: - - **Needs attention**: The device has some issue and needs attention. - -### Use the Feature update failures (Operational) report - -The **Feature update failures** operational report provides details for devices that you target with a [Windows 10 and later feature updates](feature-updates.md) policy, and that have attempted to install an update. Devices in this report might have an Alert that prevents the device from completing installation of the update. - -> [!IMPORTANT] -> Before this report can show data, you must [configure data collection](#configuring-for-client-data-reporting) for the Windows feature updates reports. - -This report provides insights to update installation status, including the number of devices with errors. It also supports drilling in for more details to help you troubleshoot issues with the installation. This report supports filtering, searching, paging, and sorting. - -To use the report: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -2. Select **Devices** > **Monitor**, and then below *Software updates* select **Feature update failures**. - - - The initial view displays a per-profile summary of how many devices have alerts for each of your profiles with the version of Windows that the profile targets: - - > [!div class="mx-imgBorder"] - > ![Per-profile view](./images/reports/update-failures-summary.png) - - - Selecting a profile opens a dedicated view that contains all active Alerts for that profile. - - - While viewing the active alerts for the profile: - - - Select an *Alert Message* to open a pane that displays more details for that alert: - > [!div class="mx-imgBorder"] - > ![Alert message details](./images/reports/alert-message-details.png) - - - Select the device name to open the Device page: - > [!div class="mx-imgBorder"] - > ![View the device page](./images/reports/device-details.png) - -The following list identifies Alert Messages, and suggested remediation actions: - -|Alert Message |Description |Recommendation | -|----|----|----| -| **CancelledByUser** | User canceled the update. | Retry the installation. | -| **DamagedMedia** | The update file or the hard drive is damaged. | Run **Chkdsk /F** on the device with administrator privileges, then retry the update. | -| **DeploymentConflict** | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | Remove the device from any deployments that shouldn't apply. | -| **DeviceRegistrationInvalidAzureADDeviceId**|The device isn't able to register or authenticate properly with Windows Update because of an invalid Microsoft Entra Device ID. | Check that the device is joined to the Microsoft Entra tenant making the request. | -| **DeviceRegistrationInvalidGlobalDeviceId** | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. | The Microsoft Account Sign-In Assistant (MSA) Service might be disabled, preventing Global Device ID assignment. Check that the MSA Service is running or able to run on the device. | -| **DeviceRegistrationIssue** | The device isn't able to register or authenticate properly with Windows Update. | Check that the device registration information is correct and the device can connect. | -| **DeviceRegistrationNoTrustType** | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | Check that the device is joined in Microsoft Entra ID using your account. If the issue persists, the device might need to be unenrolled from Intune first. | -| **DiskFull** | The installation couldn't complete because the Windows partition is full. | Free up disk space on the Windows partition. Retry the installation. | -| **DownloadCancelled** | Windows Update couldn't download the update because the update server stopped the connection. | Make sure your network is working and retry the download. If it still fails, check your WSUS server or contact support. | -| **DownloadConnectionIssue**| Windows Update couldn't connect to the update server and the update couldn't download. | Make sure your network is working and retry the download. If it still fails, contact support. | -| **DownloadCredentialsIssue**| Windows Update couldn't download the file because the Background Intelligent Transfer Service (BITS) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | Retry the download. If it fails again, review your network configuration to make sure that this computer can access the internet. If you need help, contact support. | -| **DownloadIssue** | There was an issue downloading the update. | Retry the installation. | -| **DownloadIssueServiceDisabled** | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | In the Services administration tool, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. If it won't start, check the event log for errors. | -| **DownloadTimeout** | A timeout occurred while Windows tried to contact the update service or the server containing the update's payload. | Retry the download. If it doesn't succeed, make sure that the update service and payload servers are running normally and that there are no network connectivity issues. | -| **EndOfService** | Device is on a version of Windows that has passed its end of service date. | Update device to a version that is currently supported. | -| **EndOfServiceApproaching**| Device is on a version of Windows that is approaching its end of service date. | Update the device to a version that has a longer remaining servicing timeline. | -| **FailureResponseThreshold**| The failure response threshold setting was met for a deployment to which the device belongs. | Consider pausing the deployment and assessing for issues. | -| **FailureResponseThresholdPause** | A deployment to which the device belongs was paused because of its failure response threshold being met. | Review devices that encountered issues. | -| **FileNotFound** | The downloaded update files can't be found. The Disk Cleanup utility or a non-Microsoft software cleaning tool might have removed the files during cleanup. | Download the update again, and then retry the installation. | -| **Incompatible** | The system doesn't meet the minimum requirements to install the update. | Review the *ScanResult.xml* file for **Block Type=Hard**. | -| **IncompatibleArchitecture**| This update is for a different CPU architecture. | Make sure the target operating system architecture matches the host operating system architecture. | -| **IncompatibleServicingChannel** | Device is in a servicing channel that is incompatible with a deployment to which the device belongs. | Configure the device's servicing channel to a retail (Generally Available) update channel. | -| **InstallAccessDenied** | Installer doesn't have permission to access or replace a file. The installer might have tried to replace a file that an antivirus, antimalware, or a backup program is currently scanning. | Retry the installation. | -| **InstallCancelled** | The installation was canceled. | Retry the installation. | -| **InstallFileLocked** | Installer couldn't access a file that is already in use. The installer might have tried to replace a file that an antivirus, antimalware, or backup program is currently scanning. | Check the files under the *%SystemDrive%\$Windows.~bt* directory. Retry the installation. | -| **InstallIssue** | There was an issue installing the update. | Run **dism /online /cleanup-image /restorehealth** on the device with administrator privileges, then retry the update. If the commands fail, a reinstall of Windows might be required. | -| **InstallIssueRedirection**| A known folder that doesn't support redirection to another drive might have been redirected to another drive. | Report this issue to Microsoft if this error is encountered more than a once. | -| **InstallMissingInfo** | Windows Update doesn't have information it needs about the update to finish the installation. | Another update might have replaced the one you're trying to install. Check the update, and then try reinstalling it. | -| **InstallOutOfMemory** | The installation couldn't complete because Windows ran out of memory. | Restart Windows, then try the installation again. If it still fails, allocate more memory to the virtual machine, or increase the size of the virtual memory pagefiles. | -| **InstallSetupError** | Windows Setup encountered an error while installing. | Check that the BIOS and drivers are up to date. Retry the download. | -| **InstallSystemError** | A system occurred while installing. | Check that the BIOS and drivers are up to date. Retry the download. | -| **PolicyConflict** | There are client policies (MDM, GP) that conflict with Windows Update settings. | Check that the client policies configured on the device don't conflict with deployment settings. | -| **PolicyConflictDeferral** | The Deferral Policy configured on the device is preventing the update from installing. | Check that the client policies configured on the device don't conflict with deployment settings. | -| **PolicyConflictPause** | Updates are paused on the device, preventing the update from installing. | Check that the client policies configured on the device don't conflict with deployment settings. | -| **PostRestartIssue** | Windows Update couldn't determine the results of installing the update. The error is usually false and the update probably succeeded. | If the update you're trying to install isn't available, no action is required. If the update is still available, retry the installation. | -| **RollbackInitiated** | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | Run the [Setup Diagnostics Tool](/windows/deployment/upgrade/setupdiag) on the Device. Don't retry the installation until the impact is understood. | -| **SafeguardHold** | Update can't install because of a known [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds). | View the *Deployment Error Code* column of the report to see the ID of the safeguard hold. Open the Windows release health dashboard at [https://aka.ms/WindowsReleaseHealth](/windows/release-health/) to view information about the active holds, including known issues with the update. | -| **UnexpectedShutdown** | The installation was stopped because a Windows shutdown or restart was in progress. | Ensure the device remains on during Windows installation. | -| **VersionMismatch** | Device is on a version of Windows that wasn't intended by Windows Update. | Confirm whether the device is on the intended version. | -| **WindowsRepairRequired** | The current version of Windows needs to be repaired before it can be updated. | Run the Startup Repair Tool on this device. | -| **WUBusy** | Windows Update can't do this task because it's busy. | Restart Windows. Retry the installation. | -| **WUComponentMissing** | Windows Update might be missing a component or the update file might be damaged. | Run **dism /online /cleanup-image /restorehealth** on the device with administrator privileges, and then retry the update. If the commands fail, a reinstall of Windows might be required. | -| **WUDamaged** | Windows Update or the update file might be damaged. | Run **dism /online /cleanup-image /restorehealth** on the device with administrator privileges, and then retry the update. If the commands fail, a reinstall of Windows might be required. | -| **WUDecryptionIssue** | Windows Update couldn't decrypt the encrypted update file because it couldn't find the proper key. | Retry the installation. | -| **WUDiskError** | Windows Update encountered an error while reading or writing to the system drive. | Run the Windows Update Troubleshooter on the device. Retry the installation. | -| **WUIssue** | Windows Update couldn't understand the metadata provided by the update service. This error usually indicates a problem with the update. | Contact support. | - -## Reports for Windows Driver updates policy - -Intune offers integrated reports to view detailed status for Windows driver updates for devices assigned to Windows Driver update policies. To use these reports, you must first configure the prerequisites and policies that support data collection from devices. These reports are applicable to Windows 10 and Windows 11. - -The data in the Intune reports for Windows Driver update policies is used only for these reports and doesn't appear in other Intune reports. The following reports are available: - -- [Windows Driver updates summary](#windows-driver-updates-summary) -- [Windows Driver updates report](#windows-driver-updates-report) -- [Windows Driver update failures](#windows-driver-update-failures) - -### Prerequisites for driver updates reports - -#### Devices and data collection - -To support reporting on all status and events for driver updates, you must configure the following data collection settings: - -- Enable [Windows diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) collection from devices at a level of [*Required*](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) or higher. -- At the Tenant level, set [Enable features that require Windows diagnostic data in processor configuration](../../intune-service/protect/data-enable-windows-data.md#windows-data) to **On**. This setting can be configured in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) at **Tenant administration** > **Connectors and tokens** > **Windows data**. - -#### User permissions to use reports - -To view these reports, users must be assigned an Intune role with the **Managed devices** > **View reports** permission. This permission is included in the following built-in roles: - -- Endpoint Security Manager -- Read Only Operator -- Help Desk Operator - -### Windows Driver updates summary - -On the Summary tab of the Windows Updates node of Reports, you can view summary details about device success or failure for installing updates from device update policies. To find this report, navigate to **Reports** > **Windows Updates** > **Summary** tab and scroll down until you find the **Windows Driver updates**. - -The following screen capture displays a summary of four policies, each assigned to a single device. - -:::image type="content" source="./images/reports/report-driver-updates-summary.png" alt-text="Screen capture of the Windows Driver Updates summary page." lightbox="./images/reports/report-driver-updates-summary.png"::: - -This report allows you to view the status of driver updates for each policy (*Profile* column). It displays the number of devices that are up-to-date (*Success*), failed (*Error*), paused (*Paused*), etc. for the driver updates in that policy. However, each device is only represented once in a single status column, based on the worst status across all of the updates that apply to that device. - -Intune ranks the following statuses in order of priority, from best (Success) to worst (NeedsReview): - -- **Success** – All applicable driver updates have installed successfully. -- **In progress** – At least one update remains in progress, and none have been paused, failed, or worse. -- **Paused** – At least one update has been paused, but none have failed to install, been cancelled, or are pending review. -- **Error** – At least one update failed to install, but none are cancelled or pending review. -- **Cancelled** – At least one update has been declined, but none are pending review. -- **NeedsReview** – One or more updates are new to the policy and pending review to approve or decline. - -For example: A policy might have three applicable driver updates for an assigned device. If one of the three fails to install on that device while the other two updates install successfully, the device is identified by adding one to the *Error* column. Once all three updates install successfully, the device is represented by adding one to the *Success* column and reducing the count of the *Error* column by one. - -This report doesn't support drilling in for more details about devices, driver updates, or policy details. - -### Windows Driver updates report - -The *Windows Driver Updates report* allows you to select a single driver update and view details about the policies in which it's applicable for a device. This report provides information about the driver from all your driver update policies, offering a different perspective than other reports, which only provide details specific to a single policy. - -To find this report, in the admin center go to **Reports** > **Windows updates** > **Reports** tab, and then select the **Windows Driver Update Report** tile. - -In the following screen capture, the report shows details for the driver update *Microsoft – APPLIANCES – 1.0.0.1*. - -:::image type="content" source="./images/reports/report-driver-updates-drivers.png" alt-text="Screen capture of the Windows 10 and later Driver updates report." lightbox="./images/reports/report-driver-updates-drivers.png"::: - -To change the focus of this report to a different driver: - -1. On the **Windows 10 and later Driver updates** view, select **Select a driver update** to open the **Driver updates** pane on the right. - -2. The *Driver updates* pane displays a list of updates that are approved and applicable for at least one device from across all your driver update policies. - -3. On the Driver updates pane, select a driver, and then **OK** to return to the Windows 10 and later Driver updates report view that now shows information for the driver you selected, and select **Generate again** to update the report. - -In the following screen capture, only four drivers remain applicable to devices with driver updates policy, and those four updates are different versions of the same driver update. - -:::image type="content" source="./images/reports/report-driver-updates-pane.png" alt-text="Screen capture of Driver Updates pane of a driver updates policy." lightbox="./images/reports/report-driver-updates-pane.png"::: - -**Column details**: - -While most of the column details should be clear, the following warrant some explanation: - -- **Update State** – This column presents the most recent status of the selected driver update, as reported by each device to which it applies. Further details can be found in the *Update Substrate* column. - - - **Cancelled** – The update was paused in the policy that applies to this device. - - **Offering** – The update is approved, but the device hasn't yet installed it. - - **Installed** – The update installed successfully. - - **Needs attention** – There's an installation issue for the update on this device. - -- **Policy** – This column identifies the name of the policy in which the update was approved. - -- **Last Scan Time** – This column provides insight into when a device last checked for updates. This can help explain why approved updates haven't installed. For instance, if the last scan time is several weeks old, it may indicate that the device is either offline or unable to connect to scan for updates. - -**Data retention**: - -As devices across all your updates policies install the latest versions of a driver update, older driver update versions that are no longer needed by any device drops off the driver updates list. However, this isn't necessarily an immediate event. Reporting data for driver updates remains available until the end of a data retention period is reached. This period is six months since the last time an event for the update is received. - -- If the update is approved and all applicable devices have installed the update, then six months after the last device updates is status, the update is removed from reporting details. -- Similarly, if an update is paused and shows no activity for the retention period, that update is also dropped from reporting details after six months. After an updates data ages out, if a paused update that remains applicable to a device is reapproved, subsequent status for that update begins to appear in reports. Previous data that aged out of reports won't be restored or available. - -### Windows Driver update failures - -Windows driver updates include a report on driver update failures. To find this report, in the admin center go to **Devices** > **Monitor** > **Windows Driver update failures**. This report is part of the *Software updates* group and might require you to scroll down the admin center to locate it. - -:::image type="content" source="./images/reports/report-driver-updates-failures.png" alt-text="Screen capture of the Windows Driver update failure report." lightbox="./images/reports/report-driver-updates-failures.png"::: - -When you select the report, you can view a list of your update policies and see a count of devices in each policy that have at least one driver update error. In the previous screen capture, only one driver has such an error. - -By selecting that policy and entry, you can then view more information about the error, including: - -- Device Name -- Driver Name -- Driver Class -- Alert Message -- Deployment Error Code -- UPN -- Intune Device ID - -This view is a useful place to identify and start investigation of driver update installation failures. - -## Windows update distribution report - -The Windows update distribution report in Intune provide a summarized report to show the number of devices that are on each quality update level and the percentage coverage for each update across devices managed by Intune (including co-managed devices). - -The report provides a drill down for each quality update that aggregates devices based on windows 10/11 feature version and the update statuses. The admins can get the list of devices that aggregate to the numbers shown in the previous two reports, which they can export and use for troubleshooting and analysis. - -The report includes Intune managed and co-managed devices, and is based on the OS version updated at every device check-in. The report can slice the data based on device scope tags. - ->[!NOTE] -> The Windows update distribution report can be used if you are using Update Rings, or not using any update policies in Intune. - -The Windows update distribution report comprises three distinct organizational reports that function sequentially to provide insights on devices and their corresponding Windows update versions. To access this feature, navigate to **Reports** > **Windows Updates** > **Reports tab** > **Windows Update Distribution Report**. - -The Windows update distribution report includes three nested reports: - -- Windows quality update distribution report -- Windows quality update distribution per feature version report -- Windows quality update device version report - -### Windows quality update distribution report - -The report displays the distribution of devices against different Quality Updates (QUs) for the selected scope. It shows the counts of devices corresponding to the displayed QUs. - -Select one or more scope tags from the drop-down list to generate the report. The drop-down list shows all the scope tags the user has access to, based on the user's assigned scope tags. - -:::image type="content" source="./images/reports/windows-quality-updates-page1.png" alt-text="Screen capture of the Windows quality update distribution report." lightbox="./images/reports/windows-quality-updates-page1.png"::: - -The report shows the number of devices under each QU level corresponding to the current month and the last 3 months from the day of reporting. The top rows typically represent the last three months, followed by other device data distributions. - -**Column details**: - -- **Update**: Monthly quality update version. The update format corresponds to YYYY-MM-UpdateType. For example, 2024-02-B. - - **Older releases**: All windows devices running valid feature version (non-preview/insider) and running older than 3 months of quality update level are combined into a single entity shown as *Older releases*. - - **Windows insider or other releases**: All those devices whose OS version does not align with the Windows 10/11 generally available feature release version and not on documented QU level, are combined under *Windows insider or other releases*. - -- **Update Type**: Monthly quality update type. For more information, go to [Windows monthly update explained](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-monthly-updates-explained/ba-p/3773544) - - B: Security Updates (released on patch Tuesday) - - D: Non-Security Updates (released on 4th week of month) - - OOB: Out of band updates - -- **Release Date**: Release date of the monthly quality update. - -- **Devices on this update**: Number of devices where the target quality update is installed. - -- **% of all devices**: Number of devices running a particular quality update represented in percentage of total managed devices in Intune. - -All QUs from this page are hyperlinked. When you select one of the current or last 3 months quality update (B, D or OOB), the [Windows quality update distribution per feature version](#windows-quality-update-distribution-per-feature-version) report is displayed. - -When you select **Older releases**, the [Windows quality update device version](#windows-quality-update-device-version) report is displayed with a list of devices that are on an older quality update level excluding insider builds and unknown builds. - -When you select **Windows insider or other releases**, the [Windows quality update device version](#windows-quality-update-device-version) report is displayed with a list of devices whose feature version is insider release, or the quality update of the device cannot be mapped to documented quality update version in Windows 10/11 release information. - -### Windows quality update distribution per feature version - -The report provides the distribution of devices against Windows feature releases. The distribution of devices that are eligible to receive the selected quality update shown based on the Windows 10/11 feature versions that are generally available. The report aids IT administrators in making informed decisions for devices and managing devices that need attention. - -:::image type="content" source="./images/reports/windows-quality-updates-page2.png" alt-text="Screen capture of the Windows quality update distribution per feature version." lightbox="./images/reports/windows-quality-updates-page2.png"::: - -The stacked chart displays the counts of devices that are up to date, those that need updates, and those for which the chosen quality update does not apply. Together, these counts make up the total Windows devices that Intune manages, including co-managed devices. - -The table lists each supported feature version that the selected quality update affects. - -Select **Columns** at the top of the table to toggle the visibility of columns, including the **Devices on this update** column, which is hidden by default. You can sort the data by the **Windows version** and **Build number** columns. - -**Column details**: - -- **Windows version**: Shows the Windows feature version. - -- **Total devices**: Total managed devices corresponding to the Windows feature version. - -- **Build Number**: Build number of the windows feature version. Devices running supported Windows 10/11 feature versions that the selected quality update does not cover are marked as **Not applicable**. Devices running unsupported Windows 10/11 feature versions, insider versions, or those with an unknown OS version, are grouped under one line item and marked as **Not applicable**. - -- **Devices on this update or later**: Number of devices where the target quality update or later is installed. - -- **Devices on this update**: Number of devices where the target quality update is installed. - -- **Devices need update**: Number of devices that are applicable for the update but do not currently have it installed. -KB article: External link to target quality update's KB Article for the corresponding Windows feature version. - -When you select any device count, the [Windows quality update device version report](#windows-quality-update-device-version) is displayed. - -### Windows quality update device version - -The report presents a list of devices based on the selections from the previous 2 reports. The criteria that you selected in the previous reports are displayed at the top of the page. -The report offers sortable columns and search options, along with an export feature allowing high volume data to be downloaded in CSV format. - -:::image type="content" source="./images/reports/windows-quality-updates-page3.png" alt-text="Screen capture of the Windows quality update device version." lightbox="./images/reports/windows-quality-updates-page3.png"::: - -**Column details**: - -- **Device Name**: The name of the device. - -- **Intune Device Id**: Intune device identifier. - -- **Entra Device Id**: Microsoft Entra identifier for device. - -- **Primary UPN**: Intune user identifier (email). - -- **OS version**: Operating System (OS) version build number. The OS version corresponds to the Windows 10/11 Feature Version (For example, Windows 10 22H2, Windows 11 22H1) and the Quality Update level (For example, 2022-08 B, 2023-02 OOB, 2023-02 C). - -- **Windows feature version**: Windows feature version. - -- **Windows quality version**: Windows quality update. - -- **Managed by**: Management agent. - -- **Last check-in**: Device last check-in date time - -The search bar enables the search for a specific device or UPN. Select a device from the list to view the device's details. - -All these reports are cached, and have an expiry time of three days, after which you must generate a new report. Select **Generate Again** to get fresh data. - -## Use Windows Update for Business reports - -You can monitor Windows update rollouts by using [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview). Windows Update for Business reports is offered through the Azure portal and is included as part of Windows 10/11 licenses listed in the [prerequisites](/windows/deployment/update/wufb-reports-prerequisites). Azure Log Analytics ingestion and retention charges aren't incurred on your Azure subscription for Windows Update for Business reports data. - -To use this solution, you'll: - -- Use an Intune device configuration profile to deploy the [settings](/windows/deployment/update/wufb-reports-configuration-intune) to your Windows 10/11 devices. - -- Optionally, deploy a configuration script as a Win32 app to those same devices to validate their configuration for Windows Update for Business reports. - -- Use Windows Update for Business reports to [Monitor Windows updates](/windows/deployment/update/wufb-reports-workbook). - -For guidance on this solution, see [Configuring Microsoft Intune devices for Windows Update For Business reports](/windows/deployment/update/wufb-reports-configuration-intune) in the Windows Update For Business reports documentation. - -## Next steps - -[Manage software updates in Intune](configure.md) diff --git a/intune/device-updates/windows/rollout-options.md b/intune/device-updates/windows/rollout-options.md index 13f069a2532..b858909d5cd 100644 --- a/intune/device-updates/windows/rollout-options.md +++ b/intune/device-updates/windows/rollout-options.md @@ -1,91 +1,93 @@ --- -title: Configure schedules to gradually roll out Windows Updates in Intune -description: Configure schedules that manage how and when Windows updates roll out to your managed devices with Microsoft Intune. -ms.date: 04/07/2025 +title: Configure Rollout Options for Feature Update Policies +description: Configure rollout options in feature update policies to control when Windows feature updates become available to devices and deploy updates gradually. +ms.date: 01/14/2026 ms.topic: how-to ms.reviewer: davguy; bryanke -#ms.custom: -ms.collection: -- M365-identity-device-management -- sub-updates --- -# Rollout options for Windows Updates in Microsoft Intune +# Configure rollout options for feature update policies -Use rollout options in Microsoft Intune policies for *Feature updates for Windows 10 and later*. With rollout options, you configure schedule options for Windows Update that result in the gradual rollout of updates to devices that receive your policies. +Use rollout options with feature update policies to control when a Windows feature update becomes available to devices. Rollout options help you manage update availability by making an update available immediately, on a specific date, or gradually across groups of devices. -> [!TIP] -> The default behavior for Windows Update is to make an update available to an assigned device right away. However, the update doesn't install right away. Instead, when an update is made available, the device becomes eligible to install it. Before a device can install an available update, the device must connect to Windows Update and scan for updates. When the need for an update is confirmed and the device is eligible, the Windows Update service then offers the update to that device. After a device completes the update, it's then dependent on user behavior and other settings like Deadline. +When an update becomes available, devices are eligible to install it the next time they scan Windows Update. The actual installation timing is still influenced by user behavior and settings such as deadlines and restart controls. -You configure rollout options when creating [Feature Updates policy](feature-updates.md) by selecting one of the following options: +You configure rollout options when creating or editing a feature update policy by selecting one of the following availability behaviors. -- **Make update available as soon as possible** - With this option, there's no delay in making the update available to devices. This selection is the default behavior for Windows Update. - -- **Make update available on a specific date** - With this option you can select a day on which the update in the policy is initially available to install. Windows Update doesn't make the update available to devices with this configuration until that day is reached. +- **Make update available as soon as possible**: Makes the update available to targeted devices without delay. This option reflects the default Windows Update behavior. +- **Make update available on a specific date**: Delays update availability until the date you specify. Devices don't receive the update offer until that date is reached. +- **Make update available gradually**: Distributes the update offer to targeted devices over time, using offer groups. This option helps reduce network impact and allows early detection of issues. ## Make updates available gradually -With the option **Make update available gradually**, you can direct Windows Update to extend an update offer to different subsets of the devices that the policy targets, at different times. We refer to those subsets as *offer groups*. This behavior distributes the availability of the update across the time you've configured, which can reduce the effect to your network as compared to offering the update to all devices at the same time. - -To configure this option, you set the following values. Windows Update uses these values to determine how many offer groups to use based on the number of devices that the policy targets, when to offer the update to the first group, and how long to wait until the update is made available to the next offer group: +The **Make update available gradually** option lets you stage a feature update by making it available to subsets of targeted devices at different times. These subsets are called *offer groups*. Staggering availability across offer groups helps reduce deployment risk and limits the impact on network and support resources compared to offering the update to all devices at once. +When you select this option, you define the rollout schedule. Windows Update uses these settings to determine how many offer groups are created, when the update is first offered, and how availability progresses across devices. -- **First group availability** : Configure the first day that Windows Update offers the update to devices that receive this policy. +### Rollout schedule settings - This date must be at least two days in the future from when you configure this policy. The delay enables Windows Update time to identify the devices that the policy targets, how many offer groups to use, and to assign devices to those offer groups. If you select a date less than two days in the future, Intune prompts you to reenter the date and shows the first valid date you can use. +- **First group availability**: Specifies the date when the update is first offered to devices targeted by the policy.\ + This date must be at least two days in the future. The lead time allows Windows Update to identify targeted devices, calculate the number of offer groups, and assign devices to those groups. If you select a date that's too soon, Intune prompts you to choose the earliest valid date. +- **Final group availability**: Specifies the date when the update is offered to the final offer group. This group includes any devices that haven't already received the update offer.\ + Depending on the number of days between groups, the final offer might occur earlier than this date. Devices assigned to the policy after the final group availability date receive the update offer immediately. +- **Days between groups**: Defines the interval between update offers and determines how many offer groups are created. -- **Final group availability** : Configure the last day that Windows Update makes the update available, which is to the final offer group. The last offer group includes all remaining devices that haven't already received the offer. Depending on the number of days between groups, the last offer might not occur on the last day of the schedule. Devices that are assigned this policy after the *final group availability* date receive the offer immediately. +Example: If the first group availability is January 1, the final group availability is January 10, and the interval is three days, Windows Update creates four offer groups. The update is offered on January 1, January 4, January 7, and January 10, with approximately the same number of devices in each group. Devices become eligible for the update only when their group receives the offer. -- **Days between groups** : Windows Update uses this value to determine how many offer groups to use when making the update available to devices. +### Offer group behavior - For example, you set the first group availability to be January 1, and the final group of availability to be January 10. Then you set three days between groups. The results are that Windows Update creates four groups to use for making the update available. Windows Update then makes the update available to devices in the first group on January 1, available to devices in the next group on January 4, and so on. The update is offered to devices in the last group on the 10th. In this example, each group gets a quarter of the devices, and devices can only get the update after their group becomes eligible. +Devices are assigned to offer groups randomly, with groups kept evenly sized and a minimum of 100 devices per group. -The following behaviors apply to the management of offer groups: +If you modify rollout dates or the interval between groups: -- Windows Update assigns targeted devices to groups randomly, keeping groups evenly sized, with a minimum unit of 100 devices per group. +- Windows Update recalculates offer groups as needed. +- Devices that haven't yet received an offer can be reassigned, which may change when they receive the update. +- If the final group availability date is set in the past, all remaining devices receive the update offer as soon as possible. +- If the first group availability date is moved to the future, devices that already received the offer keep it, while new devices wait until the revised start date. -- If you edit a policy to change the date for the first or final group availability, or change the number of days between groups for the policy: - - Windows Update recalculates the number of groups to use, if necessary. - - For devices that aren't offered the update, Windows Update adjusts group membership. This adjustment can change when a device is offered the update. - - If the date of the *final group availability* is changed to be in the past, all remaining devices are offered the update as soon as possible. - - If you change the date of the *first group availability* to the future, devices that were offered the update keep that offer, and new devices don't get an offer until the new start date. +If the policy assignment changes: -- If the policy assignment changes to add or remove devices from receiving the policy: - - New devices are distributed to the remaining offer groups. - - Windows Update attempts to retract the update offer for devices that are no longer targeted by the policy but were offered the update. However, the offer can't be retracted if the device has started processing that offer. +- Newly added devices are placed into the remaining offer groups. +- Windows Update attempts to retract the update offer from devices that are no longer targeted, unless the device has already begun processing the update. ## Intelligent rollouts -To enhance your use of gradual rollouts, you can configure *Intelligent rollouts*. - -With intelligent rollouts, Windows Autopatch uses data that it collects from devices to optimize the device members in the offer groups of your gradual rollout deployments. The first offer group includes the fewest number of devices that have the largest pool of variations in your environment. You can think of this first offer group as a *pilot ring* for the deployment. +To further optimize gradual deployments, you can use *intelligent rollouts*. -To enable intelligent rollout, you deploy a [settings catalog](../../intune-service/configuration/settings-catalog.md) profile for device configuration to *Allow Windows Update for Business Cloud Processing*. Then, you assign the profile to the same groups that you use with your Feature update profiles. You only need to deploy this profile to a device a single time. The change then applies to all future deployments for that device. +With intelligent rollouts, Windows Autopatch uses data collected from devices to optimize how devices are assigned to offer groups. Instead of assigning devices randomly, Autopatch prioritizes diversity in the first offer group by selecting a small set of devices that represent a broad range of hardware, drivers, and configurations. This first group effectively acts as a *pilot ring* for the deployment. -### Likely issue safeguard holds +To enable Intelligent rollouts, deploy a settings catalog device configuration profile and set **Allow Windows Update for Business Cloud Processing**. Assign this profile to the same groups used by your feature update policies. -The Windows Update client policies that you enable, *Allow WUfB Cloud Processing*, is the same setting that enables Autopatch to create a *likely issue* safeguard hold for a device. To learn more, see [Safeguard holds](/windows/deployment/update/wufb-reports-workbook) in the documentation for Windows Update for Business reports. +You only need to deploy this profile once per device. After it's enabled, Intelligent rollouts apply automatically to all future gradual rollouts for that device. -As your rollout progresses, Autopatch monitors for unexpected issues. The service uses insights from the Windows ecosystem to create *likely issue* safeguard holds to proactively pause deployments to devices that are likely to encounter an issue. By applying safeguard holds to devices that are likely to have issues with the update, devices and end users are protected from potential productivity affecting issues. +## Enable intelligent rollouts -To learn more, see [Manage safeguards using Windows Autopatch](/graph/windowsupdates-manage-safeguards) in the Graph API documentation for device updates. +Here are the steps to enable intelligent rollouts for gradual feature update deployments. -### Enable intelligent rollouts +1. [Create a Settings catalog policy](/intune/intune-service/configuration/settings-catalog) for the Windows platform and use the following setting: -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + | Category | Setting name | Value | + |--|--|--| + | **System** | Allow WUfB Cloud Processing| Enabled| -2. Go to **Devices** > **Manage devices** > **Configuration** > **Create**. +1. Assign the policy to a group that contains as members the devices that you want to configure. -3. For Platform, select **Windows 10 and later** and then for Profile type, select **Settings catalog**. +After the profile deploys, devices that use gradual rollouts for feature update policies will also have intelligent optimization applied. -4. On the **Configuration settings** page, select **Add settings**, and then on the *Settings picker* page, search for **Allow WUfB Cloud Processing**. This setting is in the *System* category. Select the checkbox for this setting and then close the *Settings picker* window to return to the *Configuration settings* page. +## Likely issue safeguard holds -5. Set *Allow WUfB Cloud Processing* to **Enabled**. +The **Allow Windows Update for Business Cloud Processing** setting also enables Autopatch to apply *likely issue* safeguard holds. For background information, see [Safeguard holds](/windows/deployment/update/wufb-reports-workbook). -6. On the **Assignments** page, assign the profile to the same groups you use for your Feature update profiles, and then complete and *Create* this settings catalog profile, to deploy it. +As a rollout progresses, Autopatch monitors for unexpected issues using signals from the broader Windows ecosystem. When a device is likely to encounter an issue with the update, Autopatch can apply a likely issue safeguard hold to pause the update for that device. -After the profile deploys, devices that use gradual rollouts for Feature update profiles will also have intelligent optimization applied. +By proactively applying safeguard holds, Autopatch helps protect devices and end users from potential productivity‑impacting issues during feature update deployments. +To learn more about managing safeguards programmatically, see Manage safeguards using Windows Autopatch in the Graph API documentation. ## Next steps -Configure [Feature Updates policy](feature-updates.md) +- Configure [Feature Update policies](feature-updates.md) + + + + +[INT-AC]: https://go.microsoft.com/fwlink/?linkid=2109431 \ No newline at end of file diff --git a/intune/device-updates/windows/settings.md b/intune/device-updates/windows/settings.md deleted file mode 100644 index e743ac10eee..00000000000 --- a/intune/device-updates/windows/settings.md +++ /dev/null @@ -1,222 +0,0 @@ ---- -title: Windows Update settings you can manage with Intune Update Ring policies for Windows devices. -description: View the settings for Windows Update that you can manage through Intune policy for Update rings. -ms.date: 07/15/2024 -ms.topic: reference -ms.reviewer: davguy; bryanke -#ms.custom: -ms.collection: -- M365-identity-device-management -- sub-updates ---- - - -# Settings for Windows Update that you can manage through Intune policy for Update rings - -When you use Intune policies for *Update rings*, you're configuring the Windows settings that manage how and when devices will install Windows updates. If a Windows update setting has a Windows version dependency, the version dependency is noted in the settings details. - -Following are the Windows Update settings for Windows Updates that you can [manage with update rings](update-rings.md) with Microsoft Intune. - -## Update settings - -Update settings control what bits a device will download, and when. For more information about the behavior of each setting, see the Windows reference documentation. - -- **Microsoft product updates** - **Default**: Allow - Windows Update CSP: [Update/AllowMUUpdateService](/windows/client-management/mdm/policy-csp-update#allowmuupdateservice) - - - **Allow** - Select *Allow* to scan for app updates from Microsoft Update. - - **Block** - Select Block to prevent scanning for app updates. - -- **Windows drivers** - **Default**: Allow - Windows Update CSP: [Update/ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#excludewudriversinqualityupdate) - - - **Allow** - Select *Allow* include Windows Update drivers during updates. - - **Block** - Select Block to prevent scanning for drivers. - -- **Quality update deferral period (days)** - **Default**: 0 - Windows Update CSP: [Update/DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#deferqualityupdatesperiodindays) - - Specify the number of days from 0 to 30 for which Quality Updates are deferred. This period is in addition to any deferral period that is part of the service channel you select. The deadline calculation for both quality and feature updates is based off the time the client's update scan initially discovered the update. See [Enforcing compliance deadlines for updates](/windows/deployment/update/wufb-compliancedeadlines) - - Quality Updates are typically fixes and improvements to existing Windows functionality. - -- **Feature update deferral period (days)** - **Default**: 0 - Windows Update CSP: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#deferfeatureupdatesperiodindays) - - Specify the number of days for which Feature Updates are deferred. This period is in addition to any deferral period that is part of the service channel you select. The deferral period begins when Microsoft releases the update. - - Supported deferral period: - - - *Windows version 1709 and later* - 0 to 365 days - - Feature Updates are typically new features for Windows. - -- **Upgrade Windows 10 devices to Latest Windows 11 release** - **Default**: No - - When set to *Yes*, eligible Windows 10 devices will upgrade to the most current Windows 11 release. For more information on eligibility, see [Windows 11 Specs and System Requirements | Microsoft](https://www.microsoft.com/windows/windows-11-specifications). - -- **Set feature update uninstall period (2 – 60 days)** - **Default**: 10 - Windows Update CSP: [Update/ConfigureFeatureUpdateUninstallPeriod](/windows/client-management/mdm/policy-csp-update#configurefeatureupdateuninstallperiod) - - Configure a time after which feature updates can't be uninstalled. - - After this period expires, the previous update bits are removed from the device, and it can no longer uninstall to a previous update version. - - For example, consider an update ring with a feature update uninstall period of 20 days. After 25 days, you decide to roll back the latest feature update and use the Uninstall option. Devices that installed the feature update over 20 days ago can't uninstall it as they've removed the necessary bits as part of their maintenance. However, devices that only installed the feature update up to 19 days ago can uninstall the update if they successfully check in to receive the uninstall command before exceeding the 20-day uninstall period. - -- **Enable pre-release builds** - **Default**: Not Configured - - When configuring *Update ring settings*, you can choose to enable **Enable pre-release builds**. Devices that receive this setting as *Enabled* will move to the pre-release build you specify, and will also reboot. When enabled, specify one of the following prerelease builds: - - **Windows Insider - Release Preview** (*default*) - - **Beta Channel** - - **Dev Chanel** - - For information about pre-release builds, see [Windows Insider](https://insider.windows.com/understand-flighting). - -## User experience settings - -User experience settings control the end-user experience for device restart and reminders. For more information about the behavior of each setting, see the Windows Update CSP documentation. - -- **Automatic update behavior** - **Default**: Auto install at maintenance time - Windows Update CSP: [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#allowautoupdate) - - Choose how automatic updates are installed and, if necessary, when to restart the device. - - Supported options: - - - **Notify download** - Notify the user before downloading the update. Users choose to download and install updates. - - > [!IMPORTANT] - > If the user takes no action, the update will not install until the deadline you have configured is reached. - - - **Auto install at maintenance time** - Updates download automatically and then install during Automatic Maintenance when the device isn't in use or running on battery power. When restart is required, users are prompted to restart for up to seven days, and then restart is forced. - - This option can restart a device automatically after the update installs. Use the **Active hours** settings to define a period during which the automatic restarts are blocked: - - - **Active hours start** - Specify a start time for suppressing restarts due to update installations. - **Default**: 8 AM - Windows Update CSP: [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#activehoursstart) - - - **Active hours end** - Specify an end time for suppressing reboots due to update installations. - **Default**: 5 PM - Windows Update CSP: [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#activehoursend) - - - **Auto install and restart at maintenance time** - Updates download automatically and then install during Automatic Maintenance when the device isn't in use or running on battery power. When restart is required, the device restarts when not being used, which is the default for unmanaged devices. - - This option can restart a device automatically after the update installs. Use of the **Active hours** settings aren't described in Windows Update settings but are used by Intune to define a period during which the automatic restarts are blocked: - - - **Active hours start** - Specify a start time for suppressing restarts due to update installations. - **Default**: 8 AM - Windows Update CSP: [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#activehoursstart) - - - **Active hours end** - Specify an end time for suppressing reboots due to update installations. - **Default**: 5 PM - Windows Update CSP: [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#activehoursend) - - - **Auto install and restart at a scheduled time** - Specify an installation day and time. If unspecified, installation runs at 3 AM daily, followed by a 15-minute countdown to a restart. Logged on users can delay countdown and restart. - Windows Update CSP: [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#allowautoupdate) - - When set to *Auto install and restart at a scheduled time*, you can configure the following settings: - - - **Automatic behavior frequency** - Use this setting to schedule when updates are installed, including the week, the day, and the time. - **Default**: Every week - - - **Scheduled install day** - Specify on which day of the week you want updates to install. - **Default**: Any Day - - - **Scheduled install time** - Specify the time of day when you want updates to install. - **Default**: 3 AM - - > [!IMPORTANT] - > The device might not complete the installation at the specified time because of power policies, user absence, and so on. In this case, it will not attempt installation until the specified time occurs again or until a deadline you have specified is reached. - - - **Auto install and reboot without end-user control** - Updates download automatically and then install during Automatic Maintenance when the device isn't in use or running on battery power. When restart is required, the device restarts when not being used. This option sets the end-users control pane to read-only. - - - **Reset to default** - Restore the original auto update settings. When you *reset to default*, Windows will automatically determine active hours for the device. Using the active hours, Windows then schedules the best time to install updates and restart the system after updates install. - -- **Restart checks (EDU Restart)** - - > [!NOTE] - > In policies where this value is currently set to *Skip*, the value will remain in place until that value is changed to *Allow* and saved. However, When creating new policies, it will not be available, and you can use [Settings catalog](../../intune-service/configuration/settings-catalog.md) to set this value if required. - - **Default**: Allow - - Windows Update CSP: [Update/SetEDURestart](/windows/client-management/mdm/policy-csp-update#setedurestart) - - - **Allow** - Perform restart checks: Battery level = 40%, User presence, Display Needed, Presentation mode, Full screen mode, phone call state, game mode etc. - - **Skip** - Will restrict updates to download and install outside of Active Hours. Updates will be allowed to start even if there is a signed-in user or the device is on battery power, providing there is more than 70% battery capacity. Windows will schedule the device to wake from sleep 1 hour after the [Active Hours End](/windows/client-management/mdm/policy-csp-update#activehoursend) time with a 60-minute random delay. Devices will reboot immediately after the updates are installed. If there are still pending updates, the device will continue to retry every hour for 4 hours. - - This option is designed for education devices that remain in carts overnight that are left in sleep mode. It is not designed for 1:1 devices. - -- **Option to pause Windows updates** - **Default**: Enable - Windows Update CSP: [Update/SetDisablePauseUXAccess](/windows/client-management/mdm/policy-csp-update#setdisablepauseuxaccess) - - - **Enable** - Allow device users to pause the installation of an update for a certain number of days. - - **Disable** - Prevent device users from pausing the installation of an update. - -- **Option to check for Windows updates** - **Default**: Enable - Windows Update CSP: [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#setdisableuxwuaccess) - - - **Enable** - Allow device users to use Windows Update scan to find updates. - - **Disable** - Prevent device users from accessing the Windows Update scan. - -- **Change notification Update level** - **Default**: Use the default Windows Update notifications - Windows Update CSP: [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#updatenotificationlevel) - - Specify what level of Windows Update notifications users see. This setting doesn't control how and when updates are downloaded and installed. - - Supported options: - - **Not configured** - - **Use the default Windows Update notifications** - - **Turn off all notifications, excluding restart warnings** - - **Turn off all notifications, including restart warnings** - -- **Use deadline settings** - **Default**: Not configured - - Allows configuration of deadline settings. - - - **Not configured** - - **Allow** - - For more details about how deadlines and grace periods work together see [Enforcing compliance deadlines for updates](/windows/deployment/update/wufb-compliancedeadlines). - - When set to *Allow*, you can configure the following settings for deadlines: - - - **Deadline for feature updates** - **Default**: *Not configured* - Windows Update CSP: [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlineforfeatureupdates) - - Specifies the number of days a user has before feature updates are installed on their devices automatically (2-30). - - - **Deadline for quality updates** - **Default**: *Not configured* - Windows Update CSP: [Update/ConfigureDeadlineForQualityUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlineforqualityupdates) - - Specifies the number of days a user has before quality updates are installed on their devices automatically (2-30). - - - **Grace period** - **Default**: *Not configured* - Windows Update CSP: [Update/ConfigureDeadlineGracePeriod]( /windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiod) - - Specifies a minimum number of days after deadline until restarts occur automatically (0-7). - - - **Auto reboot before deadline** - **Default**: Yes - Windows Update CSP: [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautoreboot) - - Specifies whether the device will attempt to automatically reboot outside of active hours before the deadline and grace period are expired. The recommended value is **Yes**, as it enables the system to reboot when the user isn't using the device. Setting this value to **No** forces the system to wait until the deadline and grace period are expired and then restarts the device and this could occur during active hours. - - - **Yes** - - **No** diff --git a/intune/device-updates/windows/software-update-agent-error-codes.md b/intune/device-updates/windows/software-update-agent-error-codes.md index 58d3bef6e78..969cd6ed354 100644 --- a/intune/device-updates/windows/software-update-agent-error-codes.md +++ b/intune/device-updates/windows/software-update-agent-error-codes.md @@ -1,13 +1,10 @@ --- -title: Software update errors and descriptions in Microsoft Intune -description: See a list of the Software Update agent error code in Microsoft Intune, including the error code, symbolic name, and error description. -ms.date: 05/29/2019 +title: Software Update Errors and Descriptions +description: Reference article with a list of the Software Update agent error code in Microsoft Intune, including the symbolic name and error description. +ms.date: 01/14/2026 ms.topic: reference ROBOTS: ms.reviewer: mghadial -ms.collection: -- M365-identity-device-management -- sub-updates --- # Software update agent error codes and descriptions in Microsoft Intune diff --git a/intune/device-updates/windows/toc.yml b/intune/device-updates/windows/toc.yml index d5cc65b8dc7..fbcdfdb19a9 100644 --- a/intune/device-updates/windows/toc.yml +++ b/intune/device-updates/windows/toc.yml @@ -1,36 +1,65 @@ items: -- name: Use Windows Update client policies - href: configure.md +- name: Overview + href: index.md displayName: windows updates -- name: Update rings policy - href: update-rings.md - displayName: windows updates, rings -- name: Feature updates policy - href: feature-updates.md - displayName: windows feature updates -- name: Windows quality updates policy - href: quality-updates-policy.md - displayName: windows quality updates -- name: Expedite updates policy - href: expedite-updates.md - displayName: windows updates -- name: Windows driver updates +- name: Update ring policies items: - - name: Driver updates overview - href: driver-updates-overview.md - displayName: windows updates, drivers - - name: Driver updates policy - href: driver-updates-policy.md - displayName: windows updates, drivers -- name: Windows rollout options - href: rollout-options.md - displayName: windows updates -- name: Windows Update compatibility reports - href: compatibility-reports.md - displayName: windows updates, reports -- name: Windows Update reports - href: reports.md - displayName: windows updates, reports + - name: Get started + href: update-rings.md + displayName: windows updates, rings + - name: Policy settings + href: update-ring-policy-settings.md + displayName: windows updates, rings + - name: Reports + href: update-rings-reports.md + displayName: windows updates, rings +- name: Manage Windows feature updates + items: + - name: Get started + href: feature-updates.md + displayName: windows feature updates + - name: Configure feature update policies + href: feature-update-policy.md + displayName: windows quality updates + - name: Rollout options + href: rollout-options.md + displayName: windows updates + - name: Upgrade Windows 10 devices + href: feature-updates-windows-10.md + - name: Feature update policies reports + href: feature-updates-reports.md + displayName: windows feature updates + - name: Feature updates compatibility reports + href: compatibility-reports.md + displayName: windows updates, reports +- name: Manage Windows quality updates + items: + - name: Get started + href: quality-updates.md + displayName: windows quality updates + - name: Use hotpatch with quality updates + href: hotpatch.md + displayName: windows quality updates + - name: Expedite Windows quality updates + href: expedite-policy.md + displayName: windows quality updates + - name: Monitor and report on Windows quality updates + href: quality-updates-reports.md + displayName: windows quality updates +- name: Manage Windows driver updates + items: + - name: Get started + href: driver-updates.md + displayName: windows driver updates + - name: Configure driver update policies + href: driver-update-policy.md + displayName: windows driver updates + - name: Driver update policies reports + href: driver-updates-reports.md + displayName: windows updates + - name: Driver updates FAQs + href: driver-updates-faq.yml + displayName: windows driver updates - name: Delivery Optimization href: ../../intune-service/configuration/delivery-optimization-windows.md displayName: delivery optimization, windows updates \ No newline at end of file diff --git a/intune/device-updates/windows/update-ring-policy-settings.md b/intune/device-updates/windows/update-ring-policy-settings.md new file mode 100644 index 00000000000..734a8d55fff --- /dev/null +++ b/intune/device-updates/windows/update-ring-policy-settings.md @@ -0,0 +1,220 @@ +--- +title: Update Rings Policy Settings +description: Reference article that lists all the settings for Windows Update rings. +ms.date: 01/12/2026 +ms.topic: reference +ms.reviewer: davguy; bryanke +--- + + +# Update rings policy settings + +Update rings policies in Microsoft Intune provide a set of configurable settings that control how Windows updates are delivered and installed on managed devices. These settings allow administrators to tailor the update experience to meet organizational needs, balancing update compliance with user productivity. + +The policy settings are divided into two main categories: **Update settings** and **User experience settings**. + +## Update settings + +Update settings control what bits a device will download, and when. + +:::row::: + :::column span="1"::: + **Microsoft product updates** + :::column-end::: + :::column span="3"::: + > - **Allow**: To scan for app updates from Microsoft Update. + > - **Block**: To prevent scanning for app updates. + > + > Configuration service provider (CSP) reference: [AllowMUUpdateService](/windows/client-management/mdm/policy-csp-update#allowmuupdateservice). + :::column-end::: +:::row-end::: + +:::row::: + :::column span="1"::: + **Windows drivers** + :::column-end::: + :::column span="3"::: + > - **Allow** - To include Windows Update drivers during updates. + > - **Block** - To prevent scanning for drivers. + > + > Configuration service provider (CSP) reference: [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#excludewudriversinqualityupdate). + :::column-end::: +:::row-end::: + +:::row::: + :::column span="1"::: + **Quality update deferral period (days)** + :::column-end::: + :::column span="3"::: + > Specify the number of days from 0 to 30 for which quality updates are deferred. This period is in addition to any deferral period that is part of the service channel you select. + > + > The deadline calculation for both quality and feature updates is based off the time the client's update scan initially discovered the update. See [Enforcing compliance deadlines for updates](/windows/deployment/update/wufb-compliancedeadlines). + > + >Configuration service provider (CSP) reference: [DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#deferqualityupdatesperiodindays). + :::column-end::: +:::row-end::: + +:::row::: + :::column span="1"::: + **Feature update deferral period (days)** + :::column-end::: + :::column span="3"::: + > Specify the number of days from 0 to 365 for which feature updates are deferred. This period is in addition to any deferral period that is part of the service channel you select. The deferral period begins when Microsoft releases the update. + > + > Configuration service provider (CSP) reference: [DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#deferfeatureupdatesperiodindays). + :::column-end::: +:::row-end::: + +:::row::: + :::column span="1"::: + **Upgrade Windows 10 devices to Latest Windows 11 release** + :::column-end::: + :::column span="3"::: + > When set to *Yes*, eligible Windows 10 devices will upgrade to the most current Windows 11 release. + :::column-end::: +:::row-end::: + +:::row::: + :::column span="1"::: + **Set feature update uninstall period (2 - 60 days)** + :::column-end::: + :::column span="3"::: + > Configure a time after which feature updates can't be uninstalled. After this period expires, the previous update bits are removed from the device, and it can no longer uninstall to a previous update version. + > + >For example, consider an update ring with a feature update uninstall period of 20 days. After 25 days, you decide to roll back the latest feature update and use the *Uninstall* option. Devices that installed the feature update over 20 days ago can't uninstall it as they've removed the necessary bits as part of their maintenance. However, devices that only installed the feature update up to 19 days ago can uninstall the update if they successfully check in to receive the uninstall command before exceeding the 20-day uninstall period. + > + >Configuration service provider (CSP) reference: [ConfigureFeatureUpdateUninstallPeriod](/windows/client-management/mdm/policy-csp-update#configurefeatureupdateuninstallperiod). + :::column-end::: +:::row-end::: + +:::row::: + :::column span="1"::: + **Enable pre-release builds** + :::column-end::: + :::column span="3"::: + > When enabled, targeted devices will move to the pre-release build you specify. You must specify one of the following prerelease builds: + >- **Windows Insider - Release Preview** + >- **Beta Channel** + >- **Dev Chanel** + > + > For information about pre-release builds, see [Windows Insider](https://insider.windows.com/understand-flighting). + > + >Configuration service provider (CSP) reference: [BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#branchreadinesslevel). + :::column-end::: +:::row-end::: + +## User experience settings + +User experience settings control the end-user experience for device restart and reminders. + +:::row::: + :::column span="1"::: + **Automatic update behavior** + :::column-end::: + :::column span="3"::: + > Choose how automatic updates are installed and, if necessary, when to restart the device: + > + >- **Notify download**: Notify the user before downloading the update. Users choose to download and install updates. If the user takes no action, the update will not install until the deadline you have configured is reached. + >- **Auto install at maintenance time**: Updates download automatically and then install during Automatic Maintenance when the device isn't in use or running on battery power. When restart is required, users are prompted to restart for up to seven days, and then restart is forced. This option can restart a device automatically after the update installs. + > + > Use the **Active hours** settings to define a period during which the automatic restarts are blocked: + > - **Active hours start**: Specify a start time for suppressing restarts due to update installations. + > - **Active hours end**: Specify an end time for suppressing reboots due to update installations. + >- **Auto install and restart at maintenance time**: Updates download automatically and then install during Automatic Maintenance when the device isn't in use or running on battery power. When restart is required, the device restarts when not being used, which is the default for unmanaged devices.\ + > This option can restart a device automatically after the update installs. **Active hours** settings are used to define a period during which the automatic restarts are blocked: + > - **Active hours start** - Specify a start time for suppressing restarts due to update installations. + > - **Active hours end**: Specify an end time for suppressing reboots due to update installations. + > + >- **Auto install and restart at a scheduled time**: Specify an installation day and time. If unspecified, installation runs at 3 AM daily, followed by a 15-minute countdown to a restart. Logged on users can delay countdown and restart. When set to *Auto install and restart at a scheduled time*, you can configure the following settings: + > - **Automatic behavior frequency** - Use this setting to schedule when updates are installed, including the week, the day, and the time. + > - **Scheduled install day** - Specify on which day of the week you want updates to install. + > - **Scheduled install time** - Specify the time of day when you want updates to install. + > + > >[!NOTE] + > >The device might not complete the installation at the specified time because of power policies, user absence, and so on. In this case, it will not attempt installation until the specified time occurs again or until a deadline you have specified is reached. + > + >- **Auto install and reboot without end-user control** - Updates download automatically and then install during Automatic Maintenance when the device isn't in use or running on battery power. When restart is required, the device restarts when not being used. This option sets the end-users control pane to read-only. + >- **Reset to default** - Restore the original auto update settings. When you *reset to default*, Windows will automatically determine active hours for the device. Using the active hours, Windows then schedules the best time to install updates and restart the system after updates install. + > + >Configuration service provider (CSP) reference: + > - [AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#allowautoupdate) + > - [ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#activehoursstart) + > - [ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#activehoursend) + :::column-end::: +:::row-end::: + +:::row::: + :::column span="1"::: + **Restart checks (EDU Restart)** + :::column-end::: + :::column span="3"::: + >- **Allow**: Perform restart checks: Battery level = 40%, User presence, Display Needed, Presentation mode, Full screen mode, phone call state, game mode etc. + >- **Skip**: Will restrict updates to download and install outside of Active Hours. Updates will be allowed to start even if there is a signed-in user or the device is on battery power, providing there is more than 70% battery capacity. Windows will schedule the device to wake from sleep 1 hour after the [Active Hours End](/windows/client-management/mdm/policy-csp-update#activehoursend) time with a 60-minute random delay. Devices will reboot immediately after the updates are installed. If there are still pending updates, the device will continue to retry every hour for 4 hours.

This option is designed for education devices that remain in carts overnight that are left in sleep mode. It is not designed for 1:1 devices. + >>[!NOTE] + >>In policies where this value is currently set to *Skip*, the value will remain in place until that value is changed to *Allow* and saved. However, When creating new policies, it will not be available, and you can use [Settings catalog](../../intune-service/configuration/settings-catalog.md) to set this value if required. + > + >Configuration service provider (CSP) reference: [SetEDURestart](/windows/client-management/mdm/policy-csp-update#setedurestart). + :::column-end::: +:::row-end::: + +:::row::: + :::column span="1"::: + **Option to pause Windows updates** + :::column-end::: + :::column span="3"::: + >- **Enable**: Allow device users to pause the installation of an update for a certain number of days. + >- **Disable**: Prevent device users from pausing the installation of an update. + > + >Configuration service provider (CSP) reference: [SetDisablePauseUXAccess](/windows/client-management/mdm/policy-csp-update#setdisablepauseuxaccess). + :::column-end::: +:::row-end::: + +:::row::: + :::column span="1"::: + **Option to check for Windows updates** + :::column-end::: + :::column span="3"::: + >- **Enable**: Allow device users to use Windows Update scan to find updates. + >- **Disable**: Prevent device users from accessing the Windows Update scan. + > + >Configuration service provider (CSP) reference: [SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#setdisableuxwuaccess). + :::column-end::: +:::row-end::: + +:::row::: + :::column span="1"::: + **Change notification Update level** + :::column-end::: + :::column span="3"::: + >Specify what level of Windows Update notifications users see. This setting doesn't control how and when updates are downloaded and installed.

Supported options: + >- **Not configured** + >- **Use the default Windows Update notifications** + >- **Turn off all notifications, excluding restart warnings** + >- **Turn off all notifications, including restart warnings** + > + >Configuration service provider (CSP) reference: [UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#updatenotificationlevel). +:::row-end::: + +:::row::: + :::column span="1"::: + **Use deadline settings** + :::column-end::: + :::column span="3"::: + >Enables the configuration of deadline settings: + >- **Not configured** + >- **Allow** + > + >When set to *Allow*, you can configure the following settings for deadlines: + >- **Deadline for feature updates**: Specifies the number of days a user has before feature updates are installed on their devices automatically (2-30). + >- **Deadline for quality updates**: Specifies the number of days a user has before quality updates are installed on their devices automatically (2-30). + >- **Grace period**: Specifies a minimum number of days after deadline until restarts occur automatically (0-7). + >- **Auto reboot before deadline**: Specifies whether the device will attempt to automatically reboot outside of active hours before the deadline and grace period are expired. The recommended value is **Yes**, as it enables the system to reboot when the user isn't using the device. Setting this value to **No** forces the system to wait until the deadline and grace period are expired and then restarts the device and this could occur during active hours. + > + >For more details about how deadlines and grace periods work together see [Enforcing compliance deadlines for updates](/windows/deployment/update/wufb-compliancedeadlines). + > + >Configuration service provider (CSP) reference: + > - [ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlineforfeatureupdates) + > - [ConfigureDeadlineForQualityUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlineforqualityupdates) + > - [ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiod) + > - [ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautoreboot) +:::row-end::: diff --git a/intune/device-updates/windows/update-rings-reports.md b/intune/device-updates/windows/update-rings-reports.md new file mode 100644 index 00000000000..f2d43366701 --- /dev/null +++ b/intune/device-updates/windows/update-rings-reports.md @@ -0,0 +1,64 @@ +--- +title: Reports for Windows Update Ring Policies +description: Learn about the reports available for Windows update ring policies in Intune. Discover how to access and interpret these reports to monitor update deployments. +ms.date: 01/12/2026 +ms.topic: how-to +ms.reviewer: zadvor +--- + +# Reports for Windows update ring policies + +Intune offers integrated report views for the Windows update ring policies you deploy. These views display details about the update ring deployment and status. + +To access update ring policies reports: + +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Windows** +1. Under **Manage updates**, select **Windows updates** +1. Select the **Update rings** tab +1. Select an update ring policy: + + :::image type="content" source="./images/update-rings.png" alt-text="Screen capture of the default view for update ring policy." lightbox="./images/update-rings.png"::: + +On the policy page view: + +- **Device and user check-in status**: The default report view for this policy. This default view includes a high-level bar chart that displays a count of devices reporting four status values for this policy, and a color bar that visually represents the percentage of devices reporting each status by color. This view displays the following four status results for the policy: + - Succeeded + - Error + - Conflict + - Not applicable + +- **View report**: This button opens a more detailed report view for *Device and user check-in status*. The detailed report view includes a chart and color bar similar to that from the preceding high-level view, but reports one the additional status of **In progress**. + + This view also includes device specific details that include: + - Device name + - Logged in user + - Check-in status + - Last report modification time + + :::image type="content" source="./images/reports/report-view-details.png" alt-text="Screen capture that shows details available from the View report action."::: + + From this report view, you can select a device to drill in to view the list of the settings in the policy, and the status of the selected device for each of those settings. Additional drill-in is available by selecting a setting to open the *Setting details*. The *Setting details* display the name of the setting, the devices status (State) for that setting, and a list of profiles that manage the setting and that are assigned to the device. This is useful to help identify the source of a settings conflict. + +- **Two additional report tiles**: You can select the tiles for the following reports to view additional details: + + - **Device assignment status**: This report shows all the devices that are targeted by the policy, including devices in a pending policy assignment state. + + For this report, you can select one or more status details you are interested in, and then select *Generate report* to update the view with only that information. In this following image, we have generated a report that displays only the devices that were successfully assigned this policy: + + :::image type="content" source="./images/reports/successful-assignment-view.png" alt-text="Image of the results of the Assignment status report."::: + + This report supports drilling in to view the list of settings, with subsequent drill-in as seen in for the full report view available from the *View report* button. + + - **Per setting status**: View the configuration status of each setting for this policy across all devices and users. This view present a simple view of each setting in the policy, and the count of assigned devices that have success, error, or conflict. This report view doesn't support drilling in for additional detail. + +## Windows Update for Business reports + +You can also monitor Windows update rollouts by using Windows Update for Business reports. Windows Update for Business reports is a cloud-based solution that provides information about your Microsoft Entra joined devices' compliance with Windows updates. It's offered through the Azure portal, and it's included as part of the Windows licenses. + +To use this solution, you can use Intune to configure the required settings on your Windows devices. + +For more information, see [Windows Update for Business reports overview](/windows/deployment/update/wufb-reports-overview). + + + +[INT-AC]: https://go.microsoft.com/fwlink/?linkid=2109431 \ No newline at end of file diff --git a/intune/device-updates/windows/update-rings.md b/intune/device-updates/windows/update-rings.md index d313f2ac747..3f7d65aac3a 100644 --- a/intune/device-updates/windows/update-rings.md +++ b/intune/device-updates/windows/update-rings.md @@ -1,174 +1,162 @@ --- -title: Configure Windows Update rings policy in Intune -description: Create and manage Intune policy for Windows update rings. You can configure, deploy, and pause update installation with Windows Update client policies using Microsoft Intune. -ms.date: 04/18/2024 +title: Manage Windows Update Ring Policies +description: Learn about Windows Update ring policies for Windows devices, how to create and manage them, and improve update deployment. +ms.date: 01/12/2026 ms.topic: how-to ms.reviewer: davguy; davidmeb; bryanke -#ms.custom: -ms.collection: -- M365-identity-device-management -- sub-updates --- -# Windows Update rings policy in Intune +# Manage Windows Update ring policies -Create update rings that specify how and when Windows as a Service updates your Windows devices with [*feature* and *quality* updates](/windows/deployment/update/get-started-updates-channels-tools#types-of-updates). With Windows, new feature and quality updates include the contents of all previous updates. As long as you've installed the latest update, you know your Windows devices are up to date. Unlike with previous versions of Windows, you now must install the entire update instead of part of an update. +Windows update rings define how and when Windows updates are installed on devices. They control client‑side update behavior such as deferral periods, restart settings, deadlines, active hours, and user notifications. Update rings apply broadly to Windows updates and are commonly used to create deployment stages—for example, test, pilot, and production—by assigning different settings to different device groups. -Update rings can also be used to upgrade your eligible Windows 10 devices to Windows 11. To do so, when creating a policy you use the setting named *Upgrade Windows 10 devices to Latest Windows 11 release* by configuring it as *Yes*. When you use update rings to upgrade to Windows 11, devices install the most current version of Windows 11. If you later set the upgrade setting back to *No*, devices that haven't started the upgrade won't start while devices that are in the process of upgrading will continue to do so. Devices that have completed the upgrade will remain with Windows 11. For more information on eligibility, see [Windows 11 Specs and System Requirements | Microsoft](https://www.microsoft.com/windows/windows-11-specifications). +In Microsoft Intune, update rings are configured through **update ring policies**, which provide a general policy surface for managing Windows Update behavior on devices. These policies use Windows Update client settings and can be used on their own or alongside other Windows update policies, such as feature updates, quality updates, and driver updates. -Windows update rings support [scope tags](../../intune-service/fundamentals/scope-tags.md). You can use scope tags with update rings to help you filter and manage sets of configurations that you use. +> [!NOTE] +> When devices are managed through Windows Autopatch, update rings may be created and maintained by the service to implement rollout cadence and restart behavior. In these scenarios, admins typically shouldn't assign custom update rings to Autopatch‑managed devices. Instead, update rings work in combination with service‑managed policies that control update targeting and sequencing. ## Prerequisites -The following prerequisites must be met to use Windows Update Rings for Windows devices in Intune. - -- Devices must have access to endpoints. To get a detailed list of endpoints required for the associated service listed here, see [Network endpoints](../../intune-service/fundamentals/intune-endpoints.md#access-for-managed-devices). - - [Windows Update](/windows/privacy/manage-windows-1809-endpoints#windows-update) - - > [!NOTE] - > Although not required to configure Windows Update client policies, if the Microsoft Account Sign-In Assistant (wlidsvc) service is disabled, Windows Update doesn't offer feature updates. For more information, see [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). - -- Devices must be one of the following supported Windows editions: - - - Windows Pro - - Windows Enterprise - - Windows IoT Enterprise - - Windows Education - - Windows Team - for Surface Hub devices - - Windows Holographic for Business - Windows Holographic for Business supports a subset of settings for Windows updates, including: - - **Automatic update behavior** - - **Microsoft product updates** - - **Servicing channel**: Any update build that is generally available. - - For more information, see [Manage Windows Holographic](../../intune-service/fundamentals/windows-holographic-for-business.md). - - - Windows Enterprise LTSC and IoT Enterprise LTSC- LTSC is supported for Quality updates, but not for Feature updates. As a result, the following ring controls aren't supported for LTSC: - - [Pause](update-rings.md#pause) of *Feature* updates - - [Feature Update Deferral period (days)](settings.md#update-settings) - - [Set feature update uninstall period (2 - 60 days)](settings.md#update-settings) - - [Enable pre-release builds](settings.md#update-settings), which includes the following build options: - - Windows Insider – Release Preview - - Beta Channel - - Dev Channel - - [Use deadline settings](settings.md#user-experience-settings) for *Feature* updates. - -### Limitations for Workplace Joined devices - -Intune Update rings for Windows require the use of Windows Update client policies, which supports devices that are Workplace Joined (WPJ). However, the following Intune Windows Update policy types use Windows Update client policies and [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview), which provides for additional capabilities that are not supported for WPJ devices. - -- Driver updates -- Feature updates -- Quality updates (also known as *Expedited* updates) - -For more information about WPJ limitations for Intune Windows Update policies, see [Policy limitations for Workplace Joined devices](configure.md). +[!INCLUDE [prerequisites-network](includes/prerequisites-network.md)] + +:::row::: +:::column span="1"::: +[!INCLUDE [platform](../../includes/requirements/licensing.md)] + +:::column-end::: +:::column span="3"::: +> - [Microsoft Intune Plan 1](../../intune-service/fundamentals/licenses.md) +:::column-end::: +:::row-end::: + +:::row::: +:::column span="1"::: +[!INCLUDE [platform](../../includes/requirements/platform.md)] + +:::column-end::: +:::column span="3"::: + +> Windows Update ring policies support the following Windows editions: +> - Pro +> - Pro Education +> - Enterprise +> - Education +> - Windows IoT Enterprise +> - Windows Team - for Surface Hub devices +> - Windows Holographic for Business - Supports a suset of settings for Windows updates, including: +> - **Automatic update behavior** +> - **Microsoft product updates** +> - **Servicing channel**: Any update build that is generally available. +> For more information, see [Manage Windows Holographic](../../intune-service/fundamentals/windows-holographic-for-business.md). +> +> Windows Enterprise LTSC and IoT Enterprise LTSC- LTSC is supported for Quality updates, but not for Feature updates. As a result, the following ring controls aren't supported for LTSC: +> - Pause of feature updates +> - Feature Update Deferral period +> - Set feature update uninstall period +> - Enable pre-release builds +> - Use deadline settings for feature updates +:::column-end::: +:::row-end::: + +:::row::: +:::column span="1"::: +[!INCLUDE [device-configuration](../../includes/requirements/device-configuration.md)] + +:::column-end::: +:::column span="3"::: +> The *Microsoft Account Sign-In Assistant* service (`wlidsvc`) must be enabled and running. +> +> If the Microsoft Account Sign-In Assistant service is disabled, Windows Update doesn't offer feature updates. For more information, see [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). +:::column-end::: +:::row-end::: ## Create and assign update rings -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -2. Select **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows 10 and later updates** > **Update rings** tab > **Create profile**. - -3. Under *Basics*, specify a name, a description (optional), and then select **Next**. - ![Create an update ring](./images/update-rings/basics-tab.png) - -4. Under **Update ring settings**, configure settings for your business needs. For information about the available settings, see [Windows update settings](settings.md). After configuring *Update and User experience* settings, select **Next**. +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows updates** +1. Select the **Update rings** tab > **Create profile**. +1. Under *Basics*, specify a name, a description (optional), and then select **Next**. +1. Under **Update ring settings**, configure settings aligned with your organization's update deployment strategy + - For information about the available settings, see [Windows update settings](update-ring-policy-settings.md). + - After configuring *Update and User experience* settings, select **Next**. +1. Under **Scope tags**, select **+ Select scope tags** to open the *Select tags* pane if you want to apply them to the update ring. Choose one or more tags, and then click **Select** to add them to the update ring and return to the *Scope tag*s page. +1. Select **Next** to continue to *Assignments*. +1. Under **Assignments**, choose **+ Select groups to include** and then assign the update ring to one or more groups. Use **+ Select groups to exclude** to fine-tune the assignment. Select **Next** to continue. -5. Under **Scope tags**, select **+ Select scope tags** to open the *Select tags* pane if you want to apply them to the update ring. Choose one or more tags, and then click **Select** to add them to the update ring and return to the *Scope tag*s page. + > [!TIP] + > Assign update rings to device groups. The use of device groups removes the need for a user to sign-on to a device before the policy can apply. - When ready, select **Next** to continue to *Assignments*. +1. Under **Review + create**, review the settings, and then select **Create** when ready to save your Windows update ring. Your new update ring is displayed in the list of update rings. - > [!NOTE] - > When configuring or editing Intune policies, some policy types might not display the Scope Tags configuration page if there are no custom defined scope tags for the tenant. - > If you don't see the Scope Tag option, ensure that at least one tag in addition to the default scope tag has been defined. +## Manage update rings -6. Under **Assignments**, choose **+ Select groups to include** and then assign the update ring to one or more groups. Use **+ Select groups to exclude** to fine-tune the assignment. Select **Next** to continue. +1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows updates** +1. Select the **Update rings** tab and select the ring policy that you want to manage. Intune displays details similar to the following for the selected policy: - In most cases, we recommend deploying update rings to device groups. Use of device groups aligns to our guidance for deploying [feature updates](feature-updates.md) and removes the need for a user to sign-on to a device before the policy can apply. - -7. Under **Review + create**, review the settings, and then select **Create** when ready to save your Windows update ring. Your new update ring is displayed in the list of update rings. - -## Manage your Windows Update rings - -In the portal, navigate to **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows 10 and later updates** > **Update rings** tab and select the ring policy that you want to manage. Intune displays details similar to the following for the selected policy: - -:::image type="content" source="./images/update-rings/default-policy-view.png" alt-text="Screen capture of the default view for Update rings policy." lightbox="./images/update-rings/default-policy-view.png"::: + :::image type="content" source="./images/update-rings.png" alt-text="Screen capture of the default view for Update ring policy." lightbox="./images/update-rings.png"::: This view includes: -- **Policy actions**: Use the following options near the top of the policy view to manage the update ring policy: - -- [Delete](#delete) -- [Pause](#pause) -- [Resume](#resume) -- [Extend](#extend) -- [Uninstall](#uninstall) - -:::image type="content" source="./images/update-rings/overview-actions.png" alt-text="Available actions."::: - -This view also includes: - +- **Policy actions**: use the available actions to manage the selected update ring policy. For more information about each action, see the [Policy actions](#policy-actions) section. - **Essentials**: A list of details about the policy, including when it was created, last modified, and a count of groups that are assigned to the policy. - - **Device and user check-in status**: The default report view for this policy. In addition to this default view, the following report details and options are available: - **View report**: A button opens a more detailed report view for *Device and user check-in status*. - - **Two additional report tiles**: You can select the tiles for the following reports to view additional details: - **Device assignment status**: This report shows all the devices that are targeted by the policy, including devices in a pending policy assignment state. - **Per setting status**: View the configuration status of each setting for this policy across all devices and users. - For details about this report view, see [Reports for Update rings for Windows 10 and later policy](reports.md#reports-for-update-rings-for-windows-10-and-later-policy). + For details about this report view, see [Reports for update ring policies](update-rings-reports.md). - **Properties**: View details for each configuration page of the policy, including an option to **Edit** each area of the policy. ### Policy actions -#### Delete + +Select a tab to learn more about its purpose and available options. + +# [:::image type="icon" source="icons/delete.svg" border="false"::: **Delete**](#tab/delete) Select **Delete** to stop enforcing the settings of the selected Windows update ring. Deleting a ring removes its configuration from Intune so that Intune no longer applies and enforces those settings. Deleting a ring from Intune doesn't modify the settings on devices that were assigned the update ring. Instead, the device keeps its current settings. Devices don't maintain a historical record of what settings they held previously. Devices can also receive settings from other update rings that remain active. -##### To delete a ring +To delete a ring: 1. While viewing the overview page for an Update Ring, select **Delete**. -2. Select **OK**. - -#### Pause +1. Select **OK**. +# [:::image type="icon" source="icons/pause.svg" border="false"::: **Pause**](#tab/pause) Select **Pause** to prevent assigned devices from receiving feature or quality updates for up to 35 days from the time you pause the ring. After the maximum days have passed, pause functionality automatically expires and the device scans Windows Updates for applicable updates. Following this scan, you can pause the updates again. If you resume a paused update ring, and then pause that ring again, the pause period resets to 35 days. -##### To pause a ring +To pause a ring: 1. While viewing the overview page for an Update Ring, select **Pause**. -2. Select either **Feature** or **Quality** to pause that type of update, and then select **OK**. -3. After pausing one update type, you can select Pause again to pause the other update type. +1. Select either **Feature** or **Quality** to pause that type of update, and then select **OK**. +1. After pausing one update type, you can select Pause again to pause the other update type. When an update type is paused, the Overview pane for that ring displays how many days remain before that update type resumes. > [!IMPORTANT] > After you issue a pause command, devices receive this command the next time they check into the service. It's possible that before they check in, they might install a scheduled update. Additionally, if a targeted device is turned off when you issue the pause command, when you turn it on, it might download and install scheduled updates before it checks in with Intune. -#### Resume - +# [:::image type="icon" source="icons/resume.svg" border="false"::: **Resume**](#tab/resume) While an update ring is paused, you can select **Resume** to restore feature and quality updates for that ring to active operation. After you resume an update ring, you can pause that ring again. -##### To resume a ring +To resume a ring: 1. While viewing the overview page for a paused Update Ring, select **Resume**. -2. Select from the available options to resume either **Feature** or **Quality** updates, and then select **OK**. -3. After resuming one update type, you can select Resume again to resume the other update type. - -#### Extend +1. Select from the available options to resume either **Feature** or **Quality** updates, and then select **OK**. +1. After resuming one update type, you can select Resume again to resume the other update type. +# [:::image type="icon" source="icons/extend.svg" border="false"::: **Extend**](#tab/extend) While an update ring is paused, you can select **Extend** to reset the pause period for both feature and quality updates for that update ring to 35 days. -##### To Extend the pause period for a ring +To Extend the pause period for a ring: 1. While viewing the overview page for a paused Update Ring, select **Extend**. -2. Select from the available options to resume either **Feature** or **Quality** updates, and then select **OK**. -3. After extending the pause for one update type, you can select Extend again to extend the other update type. +1. Select from the available options to resume either **Feature** or **Quality** updates, and then select **OK**. +1. After extending the pause for one update type, you can select Extend again to extend the other update type. -#### Uninstall +# [:::image type="icon" source="icons/uninstall.svg" border="false"::: **Uninstall**](#tab/uninstall) An Intune administrator can use **Uninstall** to uninstall (roll back) the latest *feature* update or the latest *quality* update for an active or paused update ring. After uninstalling one type, you can then uninstall the other type. Intune doesn't support or manage the ability of users to uninstall updates. @@ -185,36 +173,30 @@ A device must have installed the latest update. Because updates are cumulative, Consider the following when you use Uninstall: - Uninstalling a feature or quality update is only available for the servicing channel the device is on. - - Using uninstall for feature or quality updates triggers a policy to restore the previous update on your Windows machines. - - After a quality update is successfully rolled back, device users continue to see the update listed in **Windows settings** > **Updates** > **Update History**. - - When you initiate an uninstall of feature or quality updates on an Update Ring, Intune also pauses updates of the same type on that Update Ring. - - Once the feature or quality update pause elapses on an Update Ring, devices will reinstall previously uninstalled feature or quality updates if they're still applicable. - - Uninstallation will not be successful when the feature update was applied using an Enablement Package. To learn more about Enablement Packages, see [KB5015684](https://support.microsoft.com/topic/kb5015684-featured-update-to-version-22h2-by-using-an-enablement-package-09d43632-f438-47b5-985e-d6fd704eee61). - - For feature updates specifically, the time you can uninstall the update is limited from 2-60 days. This period is configured by the update rings Update setting **Set feature update uninstall period (2 – 60 days)**. You can't roll back a feature update that's been installed on a device after the update has been installed for longer than the configured uninstall period. For example, consider an update ring with a feature update uninstall period of 20 days. After 25 days you decide to roll back the latest feature update and use the Uninstall option. Devices that installed the feature update over 20 days ago can't uninstall it as they've removed the necessary bits as part of their maintenance. However, devices that only installed the feature update up to 19 days ago can uninstall the update if they successfully check in to receive the uninstall command before exceeding the 20-day uninstall period. For more information about Windows Update policies, see [Update CSP](/windows/client-management/mdm/update-csp) in the Windows client management documentation. -##### To uninstall the latest Windows update +To uninstall the latest Windows update: 1. While viewing the overview page for a paused Update Ring, select **Uninstall**. -2. Select from the available options to uninstall either **Feature** or **Quality** updates, and then select **OK**. -3. After you trigger the uninstall for one update type, you can select Uninstall again to uninstall the remaining update type. +1. Select from the available options to uninstall either **Feature** or **Quality** updates, and then select **OK**. +1. After you trigger the uninstall for one update type, you can select Uninstall again to uninstall the remaining update type. +--- -## Validation and reporting +## Next steps -There are multiple options to get in-depth reporting for Windows 10/11 updates with Intune. To learn more about the reports for update rings, including details for the default view and the additional report tiles, see [Windows update reports](reports.md#reports-for-update-rings-for-windows-10-and-later-policy). +- [Windows feature update policies](feature-update-policy.md) +- [Windows feature updates reports](feature-updates-reports.md) +- [Windows update compatibility reports](compatibility-reports.md) -## Next steps + -- Use [Windows feature updates in Intune](feature-updates.md) -- Use [Windows update compatibility reports](compatibility-reports.md) -- Use [Windows update reports](reports.md) for Windows updates -- Also see [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) in the Windows deployment content for an alternative solution +[INT-AC]: https://go.microsoft.com/fwlink/?linkid=2109431 \ No newline at end of file diff --git a/intune/docfx.json b/intune/docfx.json index 2dc65c461d0..157cdae5b6f 100644 --- a/intune/docfx.json +++ b/intune/docfx.json @@ -169,6 +169,8 @@ "solutions/**/*.yml": "mandia" }, "ms.collection": { + "intune-service/device-updates/**/*.md": ["M365-identity-device-management","sub-updates"], + "intune-service/device-updates/**/*.yml": ["M365-identity-device-management","sub-updates"], "intune-service/remote-actions/**/*.md": ["M365-identity-device-management"], "intune-service/remote-actions/**/*.yml": ["M365-identity-device-management"], "cloud-pki/**/*.md": ["M365-identity-device-management","certificates","IntuneSuite","sub-intune-suite"], diff --git a/intune/includes/requirements/tenant-configuration.md b/intune/includes/requirements/tenant-configuration.md new file mode 100644 index 00000000000..4843ea266a5 --- /dev/null +++ b/intune/includes/requirements/tenant-configuration.md @@ -0,0 +1,8 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms-topic: include +ms.date: 10/14/2025 +--- + +:::image type="icon" source="../../media/icons/16/tenant-administration.svg" border="false"::: **Tenant configuration requirements** \ No newline at end of file diff --git a/intune/index.yml b/intune/index.yml index 70120e60ba0..99d75e84572 100644 --- a/intune/index.yml +++ b/intune/index.yml @@ -79,7 +79,7 @@ productDirectory: - title: Update Windows with Intune imageSrc: ./media/index/update-windows.svg links: - - url: ./device-updates/windows/configure.md + - url: ./device-updates/windows/index.md text: Read the documentation - url: https://regale.cloud/Microsoft/viewer/2905/prescriptive-guidance-intune-windows-update-policy/index.html#/0/0 text: View the interactive demo diff --git a/intune/intune-service/configuration/custom-settings-windows-holographic.md b/intune/intune-service/configuration/custom-settings-windows-holographic.md index 5be6b938b73..123c99b9d3e 100644 --- a/intune/intune-service/configuration/custom-settings-windows-holographic.md +++ b/intune/intune-service/configuration/custom-settings-windows-holographic.md @@ -82,7 +82,7 @@ The following settings are useful for devices running Windows Holographic for Bu > [!div class="mx-tableFixed"] > |OMA-URI|Data type| > |---|---| -> | `./Vendor/MSFT/Policy/Config/Update/RequireUpdateApproval` |This setting is available in RS5 (build 17763) and earlier. Starting with 19H1 (build 18362), use [Windows Update client policies](../../device-updates/windows/configure.md).

Integer
0 – Not configured. The device installs all applicable updates.
1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, like when testing is required prior to deployment.| +> | `./Vendor/MSFT/Policy/Config/Update/RequireUpdateApproval` |This setting is available in RS5 (build 17763) and earlier. Starting with 19H1 (build 18362), use [Windows Update client policies](../../device-updates/windows/index.md).

Integer
0 – Not configured. The device installs all applicable updates.
1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, like when testing is required prior to deployment.| ### [ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime) @@ -96,7 +96,7 @@ The following settings are useful for devices running Windows Holographic for Bu > [!div class="mx-tableFixed"] > |OMA-URI|Data type| > |---|---| -> | `./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl` |This setting is available in RS5 (build 17763) and earlier. Starting with 19H1 (build 18362), use [Windows Update client policies](../../device-updates/windows/configure.md).

String
URL - the device checks for updates from the WSUS server at the specified URL.
Not configured - The device checks for updates from Microsoft Update.| +> | `./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl` |This setting is available in RS5 (build 17763) and earlier. Starting with 19H1 (build 18362), use [Windows Update client policies](../../device-updates/windows/index.md).

String
URL - the device checks for updates from the WSUS server at the specified URL.
Not configured - The device checks for updates from Microsoft Update.| ### [ApprovedUpdates](/windows/client-management/mdm/update-csp) diff --git a/intune/intune-service/fundamentals/cloud-configuration-setup-guide.md b/intune/intune-service/fundamentals/cloud-configuration-setup-guide.md index 7ed119380a7..7f74a2bf185 100644 --- a/intune/intune-service/fundamentals/cloud-configuration-setup-guide.md +++ b/intune/intune-service/fundamentals/cloud-configuration-setup-guide.md @@ -585,7 +585,7 @@ You can monitor the status of the Windows Update ring policy: 2. Select the update ring you deployed as part of cloud config. 3. Select **Device status**, **User status**, or **End user update status**. The update ring settings details are shown. -For more information on reporting for Windows Update rings, see [Reports for Update rings for Windows policy](../../device-updates/windows/reports.md#reports-for-update-rings-for-windows-10-and-later-policy). +For more information on reporting for Windows Update rings, see [Reports for update rings policies](../../device-updates/windows/update-rings-reports.md). ### Compliance policy diff --git a/intune/intune-service/fundamentals/deployment-plan-configuration-profile.md b/intune/intune-service/fundamentals/deployment-plan-configuration-profile.md index 9570567cfe9..2771fb16702 100644 --- a/intune/intune-service/fundamentals/deployment-plan-configuration-profile.md +++ b/intune/intune-service/fundamentals/deployment-plan-configuration-profile.md @@ -192,7 +192,7 @@ Your policy options: | Android Enterprise personally owned devices | Not available

Can use compliance policies to set a minimum patch level, min/max OS version, and more. | | iOS/iPadOS | Intune update policy | | macOS | Intune update policy | -| Windows client | - Intune feature updates policy
- Intune expedited updates policy | +| Windows client | - Intune feature updates policy
- Intune quality updates policy | For more information on these features and/or the settings you can configure, go to: @@ -201,7 +201,7 @@ For more information on these features and/or the settings you can configure, go - **macOS** [Managed software updates](../../device-updates/apple/index.md) - **Windows**: - [Feature updates policy](../../device-updates/windows/feature-updates.md) - - [Expedited updates policy](../../device-updates/windows/expedite-updates.md) + - [Quality updates policy](../../device-updates/windows/quality-updates.md) ## Level 1 - Access organization email, connect to VPN or Wi-Fi diff --git a/intune/intune-service/fundamentals/intune-govt-service-description.md b/intune/intune-service/fundamentals/intune-govt-service-description.md index d65ea6319ef..3e166f27581 100644 --- a/intune/intune-service/fundamentals/intune-govt-service-description.md +++ b/intune/intune-service/fundamentals/intune-govt-service-description.md @@ -84,7 +84,7 @@ The following features are currently not available and aren't supported in GCC H | Feature | Availability | | --- | --- | -| Expedited updates | For more information on this feature, go to [Expedite Windows quality updates in Microsoft Intune](../../device-updates/windows/expedite-updates.md). | +| Expedited updates | For more information on this feature, go to [Windows quality updates in Microsoft Intune](../../device-updates/windows/quality-updates.md). | | Feature updates | For more information on this feature, go to [Feature updates for Windows in Intune](../../device-updates/windows/feature-updates.md). | | Windows Autopilot device preparation| The following features are in the planning phase:

- Customize out-of-box experience (OOBE) and rename devices during provisioning based on organizational structure
- Self-deploying and pre-provisioning mode
- More admin-specified configurations delivered before allowing desktop access.
- Enhanced optional desktop onboarding experience inside the Windows Company Portal app
- The ability to associate a device with a tenant.

Provisioning modes which require Windows Autopilot registration are not supported.

To get started with Windows Autopilot device preparation, go to [Windows Autopilot Device Preparation overview](/autopilot/device-preparation/overview).| | Delivery Optimization for Win32 Apps | For more information on the Delivery Optimization feature in Windows, go to [What is Delivery Optimization?](/windows/deployment/do/waas-delivery-optimization). | diff --git a/intune/intune-service/fundamentals/microsoft-intune-service-description.md b/intune/intune-service/fundamentals/microsoft-intune-service-description.md index 2223af8840c..3abc0d57fdb 100644 --- a/intune/intune-service/fundamentals/microsoft-intune-service-description.md +++ b/intune/intune-service/fundamentals/microsoft-intune-service-description.md @@ -3,9 +3,9 @@ title: Microsoft Intune Service Description description: Microsoft Intune is a cloud-based service that helps you manage Windows, iOS/iPadOS, macOS, and Android devices. author: MandiOhlinger ms.author: mandia -ms.date: 01/27/2026 +ms.date: 02/03/2026 ms.topic: article -ms.reviewer: cacamp +ms.reviewer: mmikkelson, cacamp ms.collection: - M365-identity-device-management - triage @@ -13,20 +13,20 @@ ms.collection: # Microsoft Intune service description -Intune is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce to be productive while keeping your corporate data protected. By using Intune, you can: +Intune is a cloud-based endpoint management service that helps you manage and secure your organization's devices, apps, and data. By using Intune, you can: -* Manage the mobile devices your workforce uses to access company data. -* Manage the client apps your workforce uses. -* Protect your company information by helping to control the way your workforce accesses and shares it. -* Ensure devices and apps are compliant with company security requirements. +* Manage the mobile devices your workforce uses to access organization data. +* Manage the client apps your workforce uses, including Microsoft 365 apps and many third-party partner apps. +* Protect your organization information and data by managing the way your workforce accesses and shares it. +* Ensure devices and apps are compliant with organization security requirements. -Intune integrates closely with Microsoft Entra ID for identity and access control, and Azure Information Protection for data protection. You can also integrate it with Configuration Manager to extend your management capabilities. +Intune integrates closely with Microsoft Entra ID for identity and access control, and native and partner services for data & endpoint protection. You can also integrate Intune with Configuration Manager to extend your management capabilities. To learn more about how you can manage devices, apps, and protect corporate data with Intune, see [Microsoft Intune securely manages identities, apps, and devices](what-is-intune.md). ## 30-day free trial -You can start to use Intune with a 30-day free trial that includes 100 user licenses. To start your free trial, [go to the Intune Sign up page](https://admin.microsoft.com/Signup/Signup.aspx?OfferId=40BE278A-DFD1-470a-9EF7-9F2596EA7FF9&dl=INTUNE_A&ali=1#0%20). If your organization has an Enterprise Agreement or equivalent volume licensing agreement, contact your Microsoft representative to set up your free trial. +You can start to use Intune with a 30-day free trial. To start your free trial, [go to the Intune Sign up page](https://admin.microsoft.com/Signup/Signup.aspx?OfferId=40BE278A-DFD1-470a-9EF7-9F2596EA7FF9&dl=INTUNE_A&ali=1#0%20). If your organization has an Enterprise Agreement or equivalent volume licensing agreement, contact your Microsoft representative to set up your free trial. If your organization has a Microsoft Online Services work or school account, and you might continue with this Intune subscription in production after the trial period ends, select the **Sign in** option on that page and authenticate by using the Microsoft Entra Global Administrator account for your organization. This action ensures that your Intune trial links to your existing work or school account. @@ -35,30 +35,34 @@ If your organization has a Microsoft Online Services work or school account, and ## Intune Onboarding benefit -Microsoft offers the Intune Onboarding benefit for eligible services in eligible plans. The Onboarding benefit lets you work remotely with Microsoft specialists to get your Intune environment ready for use. For more about the Onboarding benefit, see [Microsoft Intune Onboarding Benefit Description](/microsoft-365/fasttrack/introduction). +Microsoft offers the Intune Onboarding benefit for eligible services in eligible plans. The Onboarding benefit lets you work remotely with Microsoft specialists to get your Intune environment ready for use. For more about this benefit, see [Microsoft Intune Onboarding Benefit Description](/microsoft-365/fasttrack/introduction). ## Learn how Intune service updates affect you -Because the mobile device management ecosystem changes frequently with operating system updates and mobile app releases, Microsoft regularly updates Intune. You can learn about changes in the Intune service through three main sources: +Because the mobile device management ecosystem changes frequently with operating system updates and mobile app releases, Microsoft regularly updates Intune. You can learn about changes in the Intune service through the following sources: -* [What's new in Microsoft Intune](whats-new.md). This article is updated monthly and can be updated weekly when, for example, apps such as the Company Portal app are released. +* [What's new in Microsoft Intune](whats-new.md) is updated monthly and can be updated weekly when, for example, apps such as the Company Portal app are updated. -* The [Microsoft 365 admin center](https://admin.microsoft.com/) Message Center announces important service updates. If you install the companion [Microsoft 365 Admin mobile app](/microsoft-365/admin/admin-overview/admin-mobile-app), you can receive notifications on your mobile device. Learn more about how to work with the [Microsoft 365 Message Center](/microsoft-365/admin/manage/message-center). +* The [Microsoft Intune admin center](https://intune.microsoft.com) and the [Microsoft 365 admin center](https://admin.microsoft.com/) message centers announce service change notices and service health notices, including any issues in your environment that require action. + + - [**Microsoft 365 admin center**](https://admin.microsoft.com) Message Center notices are shown at **Health** > **Message center**. + - [**Microsoft Intune admin center**](https://intune.microsoft.com) notices are shown at **Tenant administration** > **Tenant status** > **Service health and message center**. A few helpful hints: - * The messages in the Microsoft 365 Message Center are targeted. So, if your company doesn't have an Intune for Education offer, you won't receive messages about Intune for Education. + * The messages are typically targeted. So, if your organization doesn't have an Intune for Education offer, you won't receive messages about Intune for Education. - * Messages expire. For example, the notification that your service is updated with a link to the What's new page likely expires prior to the next service update notification. Otherwise, you'd have a large backlog of posts that might no longer be relevant. + * Messages expire. For example, the notification that your service is updated with a link to the What's new page likely expires before the next service update notification. Otherwise, you'd have a large backlog of posts that might no longer be relevant. - * The Microsoft 365 admin mobile app allows you to search through all the messages. You can also forward the notification to share it with others in your organization. + * Install the [Microsoft 365 Admin mobile app](/microsoft-365/admin/admin-overview/admin-mobile-app) to receive notifications on your mobile device. You can search through all the messages and forward the notification to share it with others in your organization. - * Under **Edit message center preferences**, you might see an **Intune** toggle so you can look at those messages posted to an Intune subscription. If you see **Mobile Device Management for Microsoft 365**, that is a different service, not Intune. + * Under **Edit message center preferences**, you might see an **Intune** toggle so you can look at those messages posted to an Intune subscription. If you see **Mobile Device Management for Microsoft 365**, that service is different, not Intune. -* Two blogs share new features, capabilities, and best practices for Microsoft Intune: + * Learn more about how to work with the [Microsoft 365 Message Center](/microsoft-365/admin/manage/message-center). - * [Microsoft Intune Blog](https://aka.ms/IntuneBlog) +* The following blogs share new features, capabilities, and best practices for Microsoft Intune: + * [Microsoft Intune Blog](https://aka.ms/IntuneBlog) * [Intune Customer Success Blog](https://aka.ms/IntuneCustomerSuccess) > [!NOTE] @@ -68,18 +72,23 @@ Because the mobile device management ecosystem changes frequently with operating To help you plan for service changes, Microsoft notifies you at least 7-90 days prior to the service change, depending on the impact of the change. These changes might include any of the following types of change: -- Changes to the end-user experience that you might want to share with your helpdesk staff or your end users. Microsoft typically provides 7 to 30 days' notice of those changes and documents them on the [What's new in Intune App UI](whats-new-app-ui.md). For something like a spelling error fix, Microsoft typically doesn't call out the change in documentation. But a change in the end-user enrollment experience is significant enough in the UI that Microsoft posts a message to customers in the Microsoft 365 Message center and links to the What's new in the Intune App UI. So, you're notified of what's changing and have time to evaluate and update your end-user guidance before the changes roll out in production. +- Changes to the end-user experience that you might want to share with your helpdesk staff or your end users. Microsoft typically provides 7 to 30 days' notice of those changes. For something like a spelling error fix, Microsoft typically doesn't call out the change in documentation. For a change in the end-user enrollment experience that's significant enough in the UI, Microsoft posts a message to customers. So, you're notified of what's changing and have time to evaluate and update your end-user guidance before the changes roll out in production. -- Changes that require you to take action are called **Plan for Change** and typically provide about 30 days' notice. In the Microsoft 365 Message Center, the category specifically says Plan for Change. If Microsoft has an exact date for when the change is in production, there's an **Act By** date. That date gives you a visual queue and an explanation mark. + Changes that require you to take action are called **Plan for Change** and typically provide about 30 days' notice. In the Intune and Microsoft 365 message centers, the category specifically says **Plan for Change**. If Microsoft has an exact date for when the change is in production, there's an **Act By** date. That date gives you a visual queue and an explanation mark. -- For most deprecations, Microsoft prefers to provide 90 days' notice of that deprecation. For example, if Microsoft is no longer going to support a specific version of IE, the goal is to provide 90 days' notice. However, deprecations get complicated when it's another company announcing the deprecation. For example, a browser company provided notice that they won't support Silverlight with their latest build. So, Microsoft lets customers know we're dropping support of that browser, but the Microsoft notification to customers might be under the 90-day period. +- For most deprecations, Microsoft prefers to provide 90 days' notice of that deprecation. For example, if Microsoft is no longer going to support a feature, the goal is to provide 90 days' notice. Deprecations get complicated when it's another company announcing the deprecation. So, Microsoft lets customers know we're removing support as soon as possible, but the Microsoft notification to customers might be under the 90-day period. -- In the event of Intune service retirement, you would be notified 12 months in advance. +- In the event of Intune service retirement, you are notified 12 months in advance. -Finally, in the rare event there's any post-incident action needed to get your service back to normal or a large change that Microsoft deems potentially disruptive based on customer feedback, Microsoft emails the service administrators based on how your [Microsoft 365 communication preferences](/microsoft-365/admin/manage/change-address-contact-and-more) are set. Be sure to include a valid work email address. +- In the rare event there's any post-incident action needed to get your service back to normal or a large change that Microsoft deems potentially disruptive based on customer feedback, Microsoft emails the service administrators using your [Microsoft 365 communication preferences](/microsoft-365/admin/manage/change-address-contact-and-more). Be sure your preferences include a valid work email address. ## Language support Intune runs in the Azure portal, which supports the following languages: Chinese (Simplified), Chinese (Traditional), Czech, Dutch, English, French, German, Hungarian, Indonesian, Italian, Japanese, Korean, Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, and Turkish. In addition to all the languages that the Azure portal supports, the Microsoft Intune admin center and the user-facing mobile experiences support Danish, Greek, Finnish, Norwegian, and Romanian. + +## Related content + +- [Service information for Microsoft Intune release updates](intune-service-servicing-information.md) +- [What is Microsoft Intune](what-is-intune.md) diff --git a/intune/intune-service/fundamentals/whats-new-archive.md b/intune/intune-service/fundamentals/whats-new-archive.md index 185076d5462..d08971e45af 100644 --- a/intune/intune-service/fundamentals/whats-new-archive.md +++ b/intune/intune-service/fundamentals/whats-new-archive.md @@ -362,9 +362,9 @@ For more information about protected apps, see [Microsoft Intune protected apps] #### Updates to the Feature updates report -We're introducing a new **Update Substate** in Service-side data. This substate is displayed in the reports for devices that are invalid in Microsoft Entra and is known as **Not supported**. +We're introducing a new **Update Substate** in service-side data. This substate is displayed in the reports for devices that are invalid in Microsoft Entra and is known as **Not supported**. -For more information, see [Use Windows Update for Business reports for Windows Updates](../../device-updates/windows/reports.md#use-the-windows-10-feature-updates-organizational-report) +For more information, see [Use Windows Update for Business reports](../../device-updates/windows/feature-updates-reports.md) ## Week of February 24, 2025 (Service release 2502) @@ -2090,7 +2090,7 @@ Feature updates can now be made available to end users as **Optional** updates, End users can easily opt in to try out the next Feature update and provide feedback. When it's time to roll out the feature as a **Required** update, admins can change the setting on the policy and update the rollout settings so that the update is deployed as a **Required** update to devices that don't yet have it installed. -For more information on Optional Feature updates, see [Feature updates for Windows 10 and later policy in Intune](../../device-updates/windows/feature-updates.md#create-and-assign-feature-updates-for-windows-10-and-later-policy). +For more information about optional feature updates, see [Feature updates policy in Intune](../../device-updates/windows/feature-updates.md). Applies to: @@ -2278,7 +2278,7 @@ You can drill down further in the report for each quality update that aggregates Finally, the admins can get the list of devices that aggregate to the numbers shown in the previous two reports, which can also be exported and used for troubleshooting and analysis along with the Windows Update for business reports. -For more information on Windows update distribution reports, see [Windows Update reports on Intune](../../device-updates/windows/reports.md#windows-update-distribution-report). +For more information see [Windows update distribution report](../../device-updates/windows/quality-updates-reports.md#windows-update-distribution-report). Applies to: @@ -2588,7 +2588,7 @@ Applies to: - Windows 11 devices -For more information about installing an expedited update, see [Expedite Windows quality updates in Microsoft Intune](../../device-updates/windows/expedite-updates.md#create-and-assign-an-expedited-quality-update). +For more information about installing an expedited update, see [Expedite Windows quality updates in Microsoft Intune](../../device-updates/windows/quality-updates.md). #### Introducing a remote action to pause the config refresh enforcement interval @@ -2651,7 +2651,7 @@ Applies to: - Windows 11 devices -For more information about installing an expedited update, see [Expedite Windows quality updates in Microsoft Intune](../../device-updates/windows/expedite-updates.md#create-and-assign-an-expedited-quality-update). +For more information about installing an expedited update, see [Expedite Windows quality updates in Microsoft Intune](../../device-updates/windows/quality-updates.md). ### Intune apps @@ -2945,7 +2945,7 @@ Applies to: - Windows 10 - Windows 11 -For more information, see [Bulk driver updates](../../device-updates/windows/driver-updates-policy.md#bulk-driver-updates). +For more information, see [Bulk driver updates](../../device-updates/windows/driver-update-policy.md#bulk-driver-updates). #### App Control for Business policy limitation is resolved @@ -4044,22 +4044,22 @@ You can learn more about Defender for Endpoint settings that are available for L ### Monitor and troubleshoot -#### Updated reports for Update rings for Windows 10 and later +#### Updated reports for Windows update rings policies -Reporting for [Update rings for Windows 10 and later](../../device-updates/windows/update-rings.md) has been updated to use Intune's improved reporting infrastructure. These changes align to similar improvements introduced for other Intune features. +Reporting for Windows update rings policies has been updated to use Intune's improved reporting infrastructure. These changes align to similar improvements introduced for other Intune features. -With this change for reports for Update rings for Windows 10 and later, when you select an update rings policy in the Intune admin center, there isn't a left-pane navigation for *Overview*, *Manage*, or *Monitor* options. Instead, the policy view opens to a single pane that includes the following policy details: +With this change for reports for Windows update rings, when you select an update rings policy in the Intune admin center, there isn't a left-pane navigation for *Overview*, *Manage*, or *Monitor* options. Instead, the policy view opens to a single pane that includes the following policy details: -- **Essentials** – including the policy name, created and modified dates, and more details. -- **Device and user check-in status** – This view is the default report view and includes: +- **Essentials**: including the policy name, created and modified dates, and more details. +- **Device and user check-in status**: This view is the default report view and includes: - A high-level overview of device status for this policy, and a *View report* button to open a more comprehensive report view. - A streamlined representation and count of the different device status values returned by devices assigned to the policy. The simplified bar and chart replace former doughnut charts seen in the prior reporting representation. - Two other report tiles to open more reports. These tiles include: - - **Device assignment status** – This report combines the same information as the previous Device status and User status reports, which are no longer available. However, with this change, pivots and drill-in through based on the user name is no longer available. - - **Per setting status** – This new report provides success metrics for each setting configured differently than the defaults, allowing for new insight to which settings might not be successfully deploying to your organization. -- **Properties** – View details for each configuration page of the policy, including an option to **Edit** each areas profile details. + - **Device assignment status**: This report combines the same information as the previous Device status and User status reports, which are no longer available. However, with this change, pivots and drill-in through based on the user name is no longer available. + - **Per setting status**: This new report provides success metrics for each setting configured differently than the defaults, allowing for new insight to which settings might not be successfully deploying to your organization. +- **Properties**: View details for each configuration page of the policy, including an option to **Edit** each areas profile details. -For more information about reports for update rings for Windows 10 and later, see [Reports for Update rings for Windows 10 and later policy](../../device-updates/windows/reports.md#reports-for-update-rings-for-windows-10-and-later-policy) in the Windows Update reports for Microsoft Intune article. +For more information, see [Reports for update rings policies](../../device-updates/windows/update-rings-reports.md). ### Role-based access @@ -4695,9 +4695,9 @@ Update policies can be configured for one of two approval methods: To help you manage driver updates, you review a policy and decline an update you don't want to install. You can also indefinitely pause any approved update, and reapprove a paused update to restart its deployment. -This release also includes [driver update reports](../../device-updates/windows/reports.md#reports-for-windows-driver-updates-policy) that provide a success summary, per-device update status for each approved driver, and error and troubleshooting information. You can also select an individual driver update and view details about it across all the policies that include that driver version. +This release also includes [driver update reports](../../device-updates/windows/driver-updates-reports.md) that provide a success summary, per-device update status for each approved driver, and error and troubleshooting information. You can also select an individual driver update and view details about it across all the policies that include that driver version. -To learn about using Windows Driver update policies, see [Manage policy for Windows Driver updates with Microsoft Intune](../../device-updates/windows/driver-updates-overview.md). +To learn about using Windows Driver update policies, see [Manage policy for Windows Driver updates with Microsoft Intune](../../device-updates/windows/driver-updates.md). Applies to: diff --git a/intune/intune-service/fundamentals/windows-holographic-for-business.md b/intune/intune-service/fundamentals/windows-holographic-for-business.md index 928c0e8b49c..df5993ea19b 100644 --- a/intune/intune-service/fundamentals/windows-holographic-for-business.md +++ b/intune/intune-service/fundamentals/windows-holographic-for-business.md @@ -131,7 +131,7 @@ For more information, go to [Shared devices](../configuration/shared-user-device ## Software updates -**[Manage software updates](../../device-updates/windows/configure.md)**. +**[Manage software updates](../../device-updates/windows/index.md)**. Intune has different feature that focus on updating Windows client devices. These options include that determine how updates are installed. For example, you can create a maintenance window to install updates, or choose to restart after updates are installed. Updates can be applied to multiple devices running Windows Holographic for Business. diff --git a/intune/intune-service/protect/data-enable-windows-data.md b/intune/intune-service/protect/data-enable-windows-data.md index 06f2dd682b6..bc88759cc64 100644 --- a/intune/intune-service/protect/data-enable-windows-data.md +++ b/intune/intune-service/protect/data-enable-windows-data.md @@ -34,7 +34,7 @@ The following features require you to enable this support: - [Windows feature update device readiness report](../../device-updates/windows/compatibility-reports.md#use-the-windows-feature-update-device-readiness-report) - [Windows feature update compatibility risks report](../../device-updates/windows/compatibility-reports.md#use-the-windows-feature-update-compatibility-risks-report) -- [Windows driver updates report](../../device-updates/windows/driver-updates-overview.md) +- [Windows driver updates report](../../device-updates/windows/driver-updates.md) - Windows feature update report - Windows expedited Update Report - Driver update policies with alerts / Windows driver update failures diff --git a/intune/intune-service/protect/device-protect.md b/intune/intune-service/protect/device-protect.md index f970e9efa55..7f05324b119 100644 --- a/intune/intune-service/protect/device-protect.md +++ b/intune/intune-service/protect/device-protect.md @@ -57,7 +57,7 @@ Following are a few of the security settings and tasks you can manage through av - [Zebra LifeGuard Over-the-Air (LG OTA)](../../device-updates/android/zebra-lifeguard-ota-integration.md) - Manage firmware updates for supported Zebra devices through the Intune admin center. - [iOS](/mem/intune-service/protect/managed-software-updates-ios-macos) - Manage device operating system versions, and when devices check for and install updates. - [macOS](/mem/intune-service/protect/managed-software-updates-ios-macos) - Manage software updates for macOS devices that enrolled as supervised devices. - - [Windows](../../device-updates/windows/configure.md)- To manage the Windows Update experience for devices, you can configure when devices scan or install updates, hold a set of your managed devices at specific feature versions, and more. + - [Windows](../../device-updates/windows/index.md)- To manage the Windows Update experience for devices, you can configure when devices scan or install updates, hold a set of your managed devices at specific feature versions, and more. - **Security baselines** – Deploy [security baselines](../protect/security-baselines.md) to establish a core security posture on your Windows devices. Security baselines are preconfigured groups of Windows settings that come recommended by the relevant product teams. You can use baselines as provided or edit instances of them to meet your security goals for targeted groups of devices. diff --git a/intune/intune-service/protect/includes/secure-recommendations/24553.md b/intune/intune-service/protect/includes/secure-recommendations/24553.md index 2ef690e4f6e..04a55763d5e 100644 --- a/intune/intune-service/protect/includes/secure-recommendations/24553.md +++ b/intune/intune-service/protect/includes/secure-recommendations/24553.md @@ -20,8 +20,8 @@ Enforcing Windows Update policies ensures timely patching of security flaws, dis Start with [Manage Windows software updates in Intune](/intune/device-updates/windows/configure) to understand the available Windows Update policy types and how to configure them. Intune includes the following Windows update policy type: -- [Windows quality updates policy](/intune/device-updates/windows/quality-updates-policy) - *to install the regular monthly updates for Windows.* +- [Windows quality updates policy](/intune/device-updates/windows/quality-updates) - *to install the regular monthly updates for Windows.* - [Expedite updates policy](/intune/device-updates/windows/expedite-updates) - *to quickly install critical security patches.* - [Feature updates policy](/intune/device-updates/windows/feature-updates) - [Update rings policy](/intune/device-updates/windows/update-rings) - *to manage how and when devices install feature and quality updates.* -- [Windows driver updates](/intune/device-updates/windows/driver-updates-overview) - *to update hardware components.* +- [Windows driver updates](/intune/device-updates/windows/driver-updates) - *to update hardware components.* diff --git a/intune/intune-service/toc.yml b/intune/intune-service/toc.yml index 17418a170d0..e197996a7ff 100644 --- a/intune/intune-service/toc.yml +++ b/intune/intune-service/toc.yml @@ -2348,3 +2348,5 @@ items: href: ./protect/privacy-data-view-correct.md - name: Audit, export, delete href: ./protect/privacy-data-audit-export-delete.md + - name: Microsoft Intune service description + href: ./fundamentals/microsoft-intune-service-description.md \ No newline at end of file diff --git a/intune/media/icons/16/tenant-administration.svg b/intune/media/icons/16/tenant-administration.svg new file mode 100644 index 00000000000..35fe8848566 --- /dev/null +++ b/intune/media/icons/16/tenant-administration.svg @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + + + + + + + + diff --git a/intune/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md b/intune/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md index 45161e7a216..236f1d26a96 100644 --- a/intune/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md +++ b/intune/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md @@ -144,7 +144,7 @@ Your exact workloads, details, and how to update the workloads for cloud-native For more information, go to: - - [Manage Windows software updates in Intune](../../device-updates/windows/configure.md) + - [Manage Windows software updates in Intune](../../device-updates/windows/index.md) - [Integrate Configure Manager with Windows Update client policies](../../configmgr/sum/deploy-use/integrate-windows-update-for-business-windows-10.md) - [Choose how to manage updates to Microsoft 365 Apps](/deployoffice/choose-how-manage-updates-microsoft-365-apps) diff --git a/intune/solutions/cloud-native-endpoints/cloud-native-windows-endpoints.md b/intune/solutions/cloud-native-endpoints/cloud-native-windows-endpoints.md index 4c4443bb3ee..e62c3b9b794 100644 --- a/intune/solutions/cloud-native-endpoints/cloud-native-windows-endpoints.md +++ b/intune/solutions/cloud-native-endpoints/cloud-native-windows-endpoints.md @@ -461,7 +461,7 @@ For more information, see [Troubleshooting policy conflicts with Windows Autopil For more information, go to: -- [Learn about using Windows Update client policies in Microsoft Intune](../../device-updates/windows/configure.md) +- [Learn about using Windows Update client policies in Microsoft Intune](../../device-updates/windows/index.md) - [Module 4.2 - Windows Update for Business Fundamentals](https://www.youtube.com/watch?v=TXwp-jLDcg0&list=PLMuDtq95SdKsEc_BmAbvwI5l6RPQ2Y2ak&index=6&t=5s) from the Intune for Education Deployment Workshop video series If you'd like more granular control for Windows Updates and you use Configuration Manager, consider [co-management](../../configmgr/comanage/overview.md).