Windows Update Baseline joins the Security Compliance Toolkit

Hi Rene_kierstein,

The current solution that is out is for GPO. We are working on an intune solution to come this year. 🙂

For your second question--how can we adjust the baseline if a company only wants to deploy a subset of available updates (such as security updates)? The majority of policies that are configured in the Update Baseline are around user experience (e.g. notifications, access to features, etc) which is applicable to any type of update you are deploying to devices. To ensure your devices only get specific updates--for the sake of this example I will use security updates as the only type of update you are looking to deploy--I would check the following:

• Make sure all drivers and Microsoft product updates are turned off
  • "Do not include drivers with Windows Updates" - Set this to Enabled.
  • "Configure Automatic Updates" - Make sure "Install updates for other Microsoft products" is not selected.
• If you are not deploying Feature Updates via Windows Update, is your device configured to connect to a WSUS server?
  
  • "Specify intranet Microsoft update service location."
• I'd also double check Deadlines/offering policies (such as deferrals and pause) which also affect when the Feature Update vs Quality Updates are offered.