Forum Discussion
Most Systems Not Installing Updates Via WUfB
Hey there,
I have ~120 systems enrolled in Intune and I've been trying to get them to apply updates the WUfB by deploying an Update Ring. This has all been in place and configured for over 6 weeks and only 15 of the devices have updated. Previously the systems were managed by an RMM but that has been removed and all of its settings have been reset. I also have a couple of systems that were never managed by the RMM and they aren't updating either.I've checked settings across the few systems that have updated and the ones that haven't and I don't see anything that should prevent the deployments.
I've attached a screen shot of the update ring settings, which are applied to All Devices. I'm not giving the users any real control - if it's outside of M-F 8a-5p, apply updates. I think I've looked everywhere but the lack of updates say I'm still missing something. Thoughts?
TIA
~DGM~
7 Replies
- It looks like I've finally found a resolution to this issue - I finally broke down and pushed a registry change to force 'NoAutoUpdate' from 1=Disabled to 0=Not configured. This immediately gave control of the update settings back to Intune and WUfB was able to do its thing. I'm working through the back log of systems but expect to be at nearly 100% within the next 2 weeks. Thank you all for your suggestions.
TNT
~DGM~ hi DGMalcolm,
As I can see in your print screen you didn’t configure a deadline. So the windows updates will never be enforced. I think this will resolve your problem.
I have copied a part of the Microsoft documentation about WuFBSetting deadlines
This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This approach is useful in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation.
more information can be found here:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb
kind regards,
Rene
- That deadline setting is indeed one that could be also preventing the updates… i guess i had my fair sh.t experience with migrating from solarwinda ltch mgt to intune 🙂
I looked at the 3 registry locations give by Rudy_Ooms_MVP in the first reply. The first 2 are empty and the 3rd appears to have the settings I've applied via the Update Ring.
Mr_Helaas- I think I misunderstood the deadlines - thanks for that review. Friday night I added a 2 day deadline which I also now see in that 3rd registry location. So it appears that the Update Ring policy got updated. The system I'm using for these checks still hasn't updated though that may be just the details of how that deadline gets applied. Maybe I'll know more on that later today.
Another thing I noticed is that when I check the update policies that are applied by going through the Windows Update app, it says that 'Disable automatic updates' is on and managed by Group Policy. However, I've pushed the 'MDMWinsOverGP' configuration and I can see that set in:
HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\ControlPolicyConflict
Hi... as you mentioned those devices were managed by RMM... my experience with solarwinds is indeed lingering patch mgt settings..
But there are also working devices when i am reading it correctly? Maybe configuring the deadline settings.
Did you test it with a clean installed device.. so you can rule out that rmm tool for sure?
SO there is definitely nothing in these registry settings?
HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Are you sure the wufb settings also end up on your device?
HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\current\device\Update
