Event banner
Event details
43 Comments
- I'm trying to better understand the licensing requirements listed around the new quality updates feature. https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-expedite-updates seems to indicate I need an Windows Enterprise, Education or VDA subscription or Business Premium. We currently have Office E5 + EMS E3 but it looks like that's not sufficiently licensed to get access to this feature. Am I reading that correctly?
- Sean_McLaren
Microsoft
Brian,
The expedite feature, as well as additional control over the approval, scheduling, and safeguarding of updates delivered from Windows Update is part of the Windows Update for Business Deployment Service. This document gives an overview of the service and also has a section for service prerequisites which contains the required subscriptions for using the service. While you are able to use the service to control updates for Windows Pro devices, it does require one of the subscriptions listed there.
- The Expedite service is provided by the WUfB Deployment Service which isn't part of Office nor EMS and is therefore tied to Windows licensing. How are you licensing your OS's and what SKU are you getting?
- We did the co-management "easy win" way back in the first covid lockdown, and it wasn't so easy. I'm not so sure I'd choose that path the next time. ConfigMgr client was pushing registry settings and local policy that broke WUfB. (it's not just us - @AriaUpdated confirmed this is still an issue yesterday.) Devices sometimes flipped back to ConfigMgr management even after we'd moved all workloads to Intune. We had issues where GPO clashed with Intune policy, and that broke things. I spent a lot of time editing/removing GPOs and working out how to replicate required settings in Intune policy. I wrote a lot of Powershell to remove bad registry settings. After the dust settled, we started putting out new Autopilot devices, AAD only, and it is so much easier to just be cloud native. Sure, there are plenty of things to configure, but you are starting from a clean slate, and everything you need to do is actually documented - and you can road test it first.
- Brilliant strategies, thank you sir!
- Heather_Poulsen
Community Manager
We’re happy you’re here with us at the Microsoft Technical Takeoff! Whether you are attending one session or many, please take this 2-minute survey and let us know your thoughts on this event.
We’ll continue to answer questions here in the chat for the rest of the half hour and we’ll check back throughout the week. For bonus content, make sure to check out our Technical Takeoff Demo Channel!
- Can we get more stability and features in Autopilot, it's slow to startup, it frequently has various bugs, and it does not seem to consistently enroll existing devices - no matter how many times we sync enrollment with Intune.
- Jason_SandysWe are hard at work improving Autopilot in just about every possible way including feature set, reliability, stability, troubleshooting, etc. As you can imagine, this is not a trivial endeavor and touches many different services and resources within Microsoft. Keep in mind also that there are a lot of external dependencies that Autopilot has that we cannot control and sometimes, these impact Autopilot's ability to be successful for an organization or environment. We are fully committed to Autopilot being the best possible experience for provisioning new Windows endpoints and are always open to hearing constructive feedback on what exactly is or is not currently working for our customers.
- I'm still running WSUS for the Windows Servers. What's the best "easy win" to get the servers over to WUfB.
- Jason_SandysWindows Update for Business does not support Windows Server. Azure ARC, which includes many things like Azure Automation, is our first-class from the cloud server management solution and includes delivering updates to Windows Server as well as other OSes.
I don't think that's technically true true Jason: WUfB can and is being used to manage servers by a few, brave souls. Even the WUfB Deployment Service doesn't exclude them; there's just no first party UI for server management.
To be clear, I'm not necessarily advocating for WUfB over Azure Automation Update Management though unless things have changed there the reporting story is even worse.
- Update Management in Azure Automation is your server win. I moved to that and you can set MX windows, groups of machines and all that jazz. Works pretty well.
- Remove WSUS? Are you suggesting that patching servers with WUfB is an easy win? WUfB: What if you need enterprise reporting (UC/WUfB Reports ain't there yet)
- For on-prem servers you can use Azure Update Management to automate the patching.
- I'm well aware, but I don't think I'd call it an easy win. I genuinely like Azure UM but it's decades behind in terms of enterprise features.
- Sean_McLarenHi Bryan, Danny was referring to updating Windows clients in this session, he was not referring to Server updates.
- Here, in the context of easy wins, Danny says 'No one should be using WSUS anymore': https://youtu.be/EPuaQ6_WXqA?t=795 That, for many ... many ... customers is basically saying no one should be patching servers anymore. When Microsoft talks about 'cloud' or 'modern' for endpoint management they chronically forget that servers are endpoints that need managed as well. It's so pervasive I can't help but think it's intentional sometimes. If an easy win means I'm saddled with _both_ on-prem and cloud management solutions then I question MS's definition of 'easy'.
- Reporting is a big one. WUfB also makes it more difficult to deny an update that breaks the environment, promote one that's higher priority, and can't integrate with third-party catalogs. Lots of work in these areas lately and I'd love to not need WSUS anymore, but enterprises need that granular control and solid reporting.
The reporting thing have been heard loud and clear at ignite and received by the product group. This might be a good workaround: https://msendpointmgr.com/2022/09/14/windows-update-compliance-dashboard-v8-0/
There are sessions later this day about reporting.
Windows Update for Business deployment service + Intune | Microsoft Technical Takeoff
Meet the new Windows Update for Business reporting experience | Microsoft Technical Takeoff
- The old model of separate teams that don't talk to each other much actually reduces the organization's security posture. The bad guys don't care about the orgs silos of info and logs and actually hide in the gaps in coverage..
- Heather_Poulsen
Welcome to Your guide to going cloud-native at the Microsoft Technical Takeoff. Let's get started! Have a question? Post it here in the Comments. Subject matter experts will be answering during the session and throughout the week.
Another big issue to going cloud native is not one that is Intune or Windows 10/11 related but more on some legacy hardware like a NAS. A NAS needs an AD DS or AAD DS environment to be able to integrate into the environment. Most of the time this is sooo legacy that it doesn't need to be HA. A single DC would solve that issue. AAD would. in a cloud-native approach, be in the lead for managing accounts and groups. So, we are forced to use AAD DS. AAD DS however is always HA and therefore too expensive for most companies. I'm missing an in between solution (or I missed some info somewhere if there is one now) that solves this issue.
- Jason_SandysA few comments here from me if I'm following all of the comments packed into that short paragraph: 1. Access to on-prem resources using an AAD joined device is seamless if integrated authentication is used: https://learn.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso. 2. We can't control the authentication method(s) used by your non-Microsoft solutions. You need to coordinate that with your NAS vendor. 3. Azure AD DS is not a replacement for on-prem AD and is definitely not meant for the scenario you've called out so its cost, with respect to your on-prem resources, is more or less moot. 4. Cloud-native is mostly about your devices and end-users and not necessarily about eliminating your on-prem footprint completely, If you have constraints to legacy resources, then you'll have to make some concessions if you can't eliminate that constraint. If your VPN vendor can't accommodate an alternate auth method and you're tied to it, then you'll need to maintain an on-prem AD footprint. There are various ways to do this, but don't conflate cloud-native with eliminating your on-prem footprint, they are two, potentially parallel and related, different workstreams.
