Modern Management - Part Five - Windows Updates

Recently I have been working on a client site who were using a third party tool to manage their Windows Updates, turns out there were issues with said product and their machines haven’t been updating.... I suggested they used Intune to manage them.


This is how…..

(Please note, this these devices are already Intune managed through the use of Azure Hybrid Join/Azure AD Registered devices.)

First of all we need to create ourselves some security groups within the Azure Portal. We are going to create the following groups:
  • Windows 10 Update Ring Pilot
  • Windows 10 Update Ring Production
We create these to give us some flexibility when deploying updates to clients and are aligned to Microsoft's Servicing Channels. When we configure our Windows 10 Update Rings we will assign the ‘Semi-Annual Channel (Targeted)’ to our Windows 10 Update Ring Pilot group and we will assign the ‘Semi-Annual Channel’ to the Windows 10 Update Ring Production group, so let’s do this.

Within Azure Active Directory, browse to the ‘Groups - All groups’ blade -

Create your new security groups and assign your devices (please note I have created Cloud Security Groups, but these could also be dynamic Device groups if required).

And now you should see your groups:

The next thing we need to do is create our  Windows 10 Update Rings, browse to Intune > Software Updates > Windows 10 Update Rings (

Click on Create

Give your Update Ring a name in this example we are using Windows 10 Update Ring Pilot

Now we need to configure our settings for the Update Ring. I’m not going to go through all the settings (as I’m sure you can read) but the important one here is the Servicing channel, here we are selecting ‘Semi-Annual Channel (Targeted)’ as this will be our pilot group and want updates ASAP.

Select OK once you are happy with your settings. Now we need to assign the Update Ring to the our device group. On Assignments, Add the Windows 10 Update Ring Pilot group, Click on Evaluate to ensure this will apply to the correct amount of devices, then click Save

You will now be taken back to the Overview of the Update Ring (please be patient here as it can take a while to update).

(If like me you are impatient then you can always force a Sync on your Windows 10 client by going to Settings > Accounts > Access work or school > Select your Work identity > Select Info > Select Sync)

We now repeat the process to create our Windows 10 Update Ring Production but this time choosing the ‘Semi-Annual Channel’ and assigning to our Windows 10 Update Ring Production security Group.

You can see below I have added a 15 day referral for Feature and Quality Updates.

Now if we look into Windows Update on our client we can see that ‘Some settings are managed by your organisation’:

If we click on ‘View configured update policies we can see our configuration is in place:

We can now see that our device is compliant: