From “Push the Patch” to “Prove the Patch”: Rethinking Windows Updating with Intune

For years, many of us have approached patching like we’re running a shipping dock: build the package, label the box, push it onto endpoints, and then chase down the ones that “didn’t get the memo.” SCCM (Configuration Manager) made that model powerful—deployments, collections, maintenance windows, retries, and all the knobs we learned to love. If you were like me, you built your entire understanding of software updates around this model.

Intune flips the mental model. Instead of pushing patches as discrete payloads, you configure Windows Update behavior (rings, deadlines, restart experience, feature update targets), then you use compliance and reporting to confirm devices are meeting expectations: patch level, minimum OS, and overall update health. The job becomes less “Did I deploy the thing?” and more “Are we getting the outcome?” We get requests from various customers asking us how we "push patches" in Intune vs SCCM.  The answer is... we don't.

Why the SCCM “push” model made so much sense 

The classic SCCM patching story grew up in a world of on-prem networks, controlled bandwidth, and a very reasonable belief that “if I don’t deploy it, it won’t happen.” You staged content, targeted collections, controlled timing, and could often explain exactly why a given device didn’t patch (client health, boundary groups, scan failures, missing content, reboot pending… pick your favorite). 

What changes with Intune: policy first, compliance always 

With Intune, you’re mostly not shipping update bits around. You’re shaping how Windows Update behaves: when quality updates install, how long users can defer, when deadlines kick in, what the restart experience looks like, and which feature version a device should land on. Then you validate reality with reporting and compliance signals. 

• SCCM mindset: Create deployment → target devices → monitor deployment success. 

• Intune mindset: Define update expectations → let Windows Update do the work → monitor compliance and remediate exceptions. 

The uncomfortable part: you’re giving up some control to gain better control 

This is usually where the room gets spicy: “But I need to push patches.” Translation: “I need to be able to prove we’re safe, and I don’t trust a model I can’t micromanage.” Fair! But in a modern, internet-first fleet—remote users, always-on VPN (maybe), devices that come and go…, trying to keep the old push mechanics can actually reduce your real control. 

Intune’s superpower is that it encourages you to define measurable outcomes: “Devices must be on minimum OS version X,” “quality updates must be installed within Y days,” and “devices outside tolerance are noncompliant.” You stop arguing about whether the deployment ran and start managing an update SLA. 

A practical way to start (without breaking your brain) 

1. Define your update posture. What’s your target time-to-patch for quality updates (e.g., 7/14/30 days)? What feature version do you support? Write it down like a promise. 

1. Configure Windows update behavior in Intune. Use update rings to set deferrals, deadlines, active hours, and restart options. Add feature update policies to target a specific Windows version. Use expedited quality updates when you truly need “now.” 

1. Express minimums in compliance policy. Set requirements like minimum OS version (and other guardrails you already care about). 

1. Use Conditional Access (where appropriate) to make noncompliance matter. Not as punishment—more like a seatbelt. 

1. Watch the exceptions, not the whole herd. Use reporting to find patterns: stuck devices, reboot avoidance, update scan issues, or users who live in “Remind me tomorrow.” 

1. Remediate deliberately. Fix root causes (health, disk space, servicing stack issues), and reserve heavy-handed actions for the few devices that earn them. 

A question worth asking 

If your patching success still depends on the sentence “the deployment ran,” it might be time to upgrade the belief system, not just the tooling. In the Intune model, success is: devices are updated, versions are within tolerance, and noncompliance is visible and actionable. 

So here’s the challenge: what would your patching program look like if you treated Windows updates less like a package you ship and more like a standard you enforce? You might find you didn’t lose control at all—you just moved it to where it belongs: policy, visibility, and outcomes.