Windows Update for Business and Hybrid Devices

Question

Hello!&nbsp;&nbsp;I've been using WUfB for the last year on a handful (200) of cloud first AADJ devices and over the summer cut the cord for WSUS and SCCM and now I'm using WUfB / Intune for all my devices. The legacy AD joined machines are very problematic and its getting the point where I just want to purchase a few hundred brand new devices and autopilot/aadj and retired these old hybrid devices. Are there any tips, best practices, or&nbsp; guidelines to get these hybrid devices updating correctly? I'm using Azure Update Compliance for reporting and honestly its a mess.&nbsp;

ariaupdated · Answer

Hey Justin4er,
&nbsp;
Thanks for reaching out! Could you provide a few more details about the problems you are seeing?&nbsp;
&nbsp;
Have you confirmed that your GPOs are configured correctly? We find most times that there are often conflicting policies on the device which result in the devices not updating correctly. 🙂&nbsp;
&nbsp;
Best,
Aria&nbsp;

justin4er · Answer

Hi Aria,Thanks for the quick reply!Some of the problems I'm seeing are device that are hybrid are showing as missing a security or quality update in Azure Update Compliance, and when manually checking the device no new updates are available for install, no pending restarts etc. Also ran the Windows Update troubleshooter on a few and not getting anything there. A few other hybrid devices are getting "Error encountered, there were some problems installing updates..." when attempting to manuallly check.I'll look into group policy to make sure there's nothing still lingering from before, I was under the impression they were removed but I'll double check.

ariaupdated · Answer

That definitely sounds like you may have some conflicting policies. Please be sure that you do not have "Do not allow Windows update deferrals to cause scans against Windows Update" (GP) or "DisableDualScan" (CSP) Configured. You can see the ways to ensure that your devices are correctly pointing to WU in this video (https://techcommunity.microsoft.com/t5/ignite-video-hub/the-how-to-guide-for-managing-windows-updates/td-p/2177266) or in this blog: (https://techcommunity.microsoft.com/t5/windows-it-pro-blog/common-policy-configuration-mistakes-for-managing-windows/ba-p/2077328) Trick - if you have one of the devices you can easily trouble shoot by going to the Windows update settings page and clicking "view policies configured" to see what policies are applied on the device. Please reach out if you have any other questions! 🙂

therealshimshady · Answer

I'd like to pipe in here as well as I'm having a similar issue on a client site. Running hybrid joined devices co-managed between MECM/Intune, the decision was made to use WUfB for to upgrade the 1803 device to 1909 to ease the load on the VPN, plus using WSUS over VPN takes 8 hours compared to 45 minutes using WU. I'm finding the reporting very sketchy so am having to use both Intune and MECM to understand which devices have upgraded successfully. Currently I am adding devices to the Intune group which contains the telemetry configuration and then adding the same devices to the co-management collection. Then (and only then) do i add the devices to a GPO which suppresses WSUS and opens up access to WU so the update can take place. Otherwise there is a risk of WU installing the latest version of Windows. So as you can see, its not a fully automated process. The client would like to revert back to WSUS on completion of upgrade as the business case has not been made to replace WSUS with WufB. You can appreciate that WSUS gives you more granularity and better reporting. Is there perhaps a better way of achieving this? Thanks

Forum Discussion

Windows Update for Business and Hybrid Devices

4 Replies

Resources