ASD's Blueprint for Secure Cloud

Windows Update for Business uses Intune to manage the installation of updates and features from Microsoft Windows Update servers. There is no requirement or ability to selectively enable or disable a particular update.

Within Intune there are four main update types for devices installed with Windows 10 and later:

• Feature Updates - Released annually. Feature updates add new features and functionality to Windows.
• Quality updates - Include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any servicing stack updates that might have been released previously.
• Driver updates - These update the drivers applicable to an organisation’s device(s). Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, organisations can control whether they are installed or not.
• Microsoft product updates - These update other Microsoft products, such as Office. Organisations can enable or disable Microsoft updates by using policies controlled by various servicing tools.

Organisations can choose to apply updates for all of their devices or groups of devices from the three available servicing channels:

• General Availability Channel - Feature updates are released annually. As long as a device isn’t set to defer feature updates, any device in this channel will install a feature update as soon as it’s released. If the organisation uses Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
• Windows Insider Program for Business - Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organisations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
• Long-term Servicing Channel - The Long-Term Servicing Channel is designed to be used only for specialised devices (which typically don’t run Office) such as ones that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years.

Intune provides the ability to manage when devices are updated through policy types, which can be assigned to groups of devices:

• Update Rings for Windows 10 and later - This policy is a collection of settings that configures when devices that run Windows 10 and Windows 11 updates get installed.
• Feature updates for Windows 10 and later - This policy updates devices to the Windows version specified by the organisation, and then freezes the feature set version on those devices. This version freeze remains in place until the organisation updates them to a later Windows version. While the feature version remains static, devices can continue to install quality and security updates that are available for their feature version.
• Quality updates for Windows 10 and Later policy - expedite the install of the most recent Windows 10/11 security updates as quickly as possible on devices managed via Microsoft Intune. Deployment of expedited updates is done without the need to pause or edit the existing monthly servicing policies. With expedited updates, the installation of quality updates like the most recent patch Tuesday release or an out-of-band security update for a zero-day flaw can be sped up.

To avoid conflicts or configurations which might block installation of expedited updates, update rings policies should have the following settings:

• Enable Pre-release: Not Configured
• Automatic Update Behaviour: Reset to default
• Change Notification Update Level: Turn off all notifications including restart warnings

Intune supports the following reporting options to enable monitoring and troubleshooting of deployment updates:

• Reports in Intune:
  • Windows 10 and later update rings - Use a built-in report that’s ready by default when update rings are deployed to an organisation’s devices.
  • Windows 10 and later feature updates - Use two built-in reports that work together to gain a deep picture of update status and issues. These reports require data collection from devices to be configured before the reports can display data about feature updates.
• Update Compliance:
  • Use Update Compliance with Intune to monitor Windows update rollouts. Update Compliance is a free service built on Azure Monitor and Log Analytics.

Windows Autopatch

Included with Windows 10/11 Enterprise E3 and above licences is the Windows Autopatch feature. Autopatch will automate patching for Windows, Microsoft 365 Apps for Enterprise, Microsoft Edge, Microsoft Teams, and Microsoft drivers and firmware for their Surface devices and peripherals to alleviate some of the manual labour involved with patching. It is configured through update policies within Microsoft Intune which enables administrators to define multiple update rings.

Organisations should consider use of Windows Autopatch in accordance with their patching policy and processes aligning with their risk appetite. For organisations electing to leverage Windows Autopatch, Microsoft has published the Autopatch enrolment steps guidance.

Related information

Security & Governance

• System Monitoring
• Essential Eight - Patch Operating Systems
• Essential Eight - Patch Applications
• Essential Eight - User Application Hardening
• Enterprise Mobility

Design

• Windows Update and Patching

Configuration

• None identified

References

• Windows updates in Intune
• Windows Update Type and Channels
• Windows Builds and Release History
• Allow Telemetry
• Update Compliance
• Servicing Cadence
• Health Monitoring
• Windows Autopatch