Home
%3CLINGO-SUB%20id%3D%22lingo-sub-922378%22%20slang%3D%22en-US%22%3ECo-Management%20of%20Windows%20Updates%20Workloads%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-922378%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20post%20is%20about%20co-managing%20the%20Windows%20Update%20policies%20workload%20between%20Configuration%20Manager%20and%20Intune.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1846895740%22%20id%3D%22toc-hId-1846895740%22%3EOverview%3C%2FH2%3E%0A%3CP%3EOrganizations%20today%20are%20looking%20for%20an%20integrated%20endpoint%20management%20platform%20which%20can%20ensure%20all%20devices%20whether%20owned%20by%20the%20business%20or%20personally%20owned%20stay%20secure%2C%20are%20managed%20and%20always%20up%20to%20date.%3C%2FP%3E%0A%3CP%3EThis%20demands%20the%20most%20secure%20desktop%20and%20mobile%20experiences%20without%20compromising%20user%20flexibility.%20Configuration%20Manager%20Co-Management%20opens%20the%20gateway%20to%20interconnect%20the%20investments%20made%20on-premise%20while%20attaching%20it%20with%20the%20power%20of%20modern%20cloud-based%20solutions%20like%20Microsoft%20365%20%26amp%3B%20unlock%20its%20full%20potential.%3C%2FP%3E%0A%3CP%3EConfiguration%20Manager%20supports%20managing%20internet%20based%20devices%20via%20the%20CMG%2FIBCM%20(if%20installed)%20and%20a%20co-managed%20device%20gives%20you%20the%20flexibility%20to%20use%20the%20solution%20that%20works%20best%20for%20your%20organization%20by%20allowing%20it%20to%20be%20managed%20concurrently%20with%20both%20Configuration%20Manager%20and%20Intune.%3C%2FP%3E%0A%3CP%3ELean%20more%20about%20co-management%20here%3A%20%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fcomanagement%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2Fcomanagement%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--705261221%22%20id%3D%22toc-hId--705261221%22%3EScenario%3C%2FH2%3E%0A%3CP%3EYour%20organization%20is%20interested%20to%20offload%20the%20Windows%20Update%20policies%20to%20Intune%2C%20some%20of%20the%20driving%20factors%20could%20be%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERemoving%20dependency%20of%20ConfigMgr%20agent%20health.%3C%2FLI%3E%0A%3CLI%3EUpdates%20deployment%20outside%20corporate%20network.%3C%2FLI%3E%0A%3CLI%3EAlways%20stay%20up%20to%20date%20matching%20corporate%20standards.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1037549114%22%20id%3D%22toc-hId-1037549114%22%3EBackground%3C%2FH2%3E%0A%3CP%3EWhen%20we%20talk%20about%20moving%20the%20Windows%20Update%20policies%20workload%20to%20Intune%2C%20we%20are%20leveraging%20the%20Windows%20Update%20for%20Business%20policies%2C%20also%20known%20as%20WUfB.%3C%2FP%3E%0A%3CP%3EYou%20may%20be%20wondering%20if%20that%E2%80%99s%20the%20case%20then%20why%20not%20use%20the%20Group%20Policies%3F%20This%20is%20exactly%20what%20Intune%20is%20doing%2C%20it%E2%80%99s%20managing%20the%20WUfB%20policies%20by%20removing%20dependencies%20of%20GPO%20%26amp%3B%20On-Premises%20infrastructure.%3C%2FP%3E%0A%3CP%3EThe%20following%20diagram%20provides%20a%20conceptual%20overview%20of%20how%20this%20works%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138698i9A54350404B8C48B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20diagram%20can%20be%20roughly%20divided%20into%20three%20areas%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20Device%20Management%20service%20syncs%20update%20information%20(title%2C%20description%2C%20applicability)%20from%20Microsoft%20Update%20using%20the%20Server-Server%20sync%20protocol%20(top%20of%20the%20diagram).%3C%2FLI%3E%0A%3CLI%3EThe%20Device%20Management%20service%20sets%20automatic%20update%20policies%2C%20obtains%20update%20compliance%20information%2C%20and%20sets%20approvals%20via%20OMA%20DM%20(left%20portion%20of%20the%20diagram).%3C%2FLI%3E%0A%3CLI%3EThe%20device%20gets%20updates%20from%20Microsoft%20Update%20using%20client%2Fserver%20protocol%2C%20but%20only%20downloads%20and%20installs%20updates%20that%20are%20both%20applicable%20to%20the%20device%20and%20approved%20by%20IT%20(right%20portion%20of%20the%20diagram).%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EReference%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fdevice-update-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fdevice-update-management%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1514607847%22%20id%3D%22toc-hId--1514607847%22%3EConfiguration%3C%2FH2%3E%0A%3CP%3EYou%20begin%20with%20moving%20the%20Windows%20Update%20policies%20workload%20slider%20to%20either%20Pilot%2FIntune%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138699iF9A940E583688B8F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EStarting%20ConfigMgr%201906%20you%20can%20stage%20a%20workload%20to%20a%20collection.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138700i52663DA9F5E87E84%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThis%20triggers%20a%20policy%20update%20on%20the%20client%20side%20and%20increments%20the%20Co-management%20capabilities%20counter%20from%201%20to%2017.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20325px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138701i59CDBDFDC4E9DBE6%2Fimage-dimensions%2F325x242%3Fv%3D1.0%22%20width%3D%22325%22%20height%3D%22242%22%20alt%3D%22clipboard_image_3.png%22%20title%3D%22clipboard_image_3.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20321px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138702i91C886B1025E1CAB%2Fimage-dimensions%2F321x237%3Fv%3D1.0%22%20width%3D%22321%22%20height%3D%22237%22%20alt%3D%22clipboard_image_4.png%22%20title%3D%22clipboard_image_4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20verify%20this%20in%20the%20%3CSTRONG%3ECoManagementHander.log%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138703iCA6721B84DBFEC4E%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_5.png%22%20title%3D%22clipboard_image_5.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EUpon%20a%20Software%20Update%20Scan%20Cycle%2C%20%3CSTRONG%3EWUAHandler.log%3C%2FSTRONG%3E%20also%20acknowledges%20the%20handover%20to%20MDM%2FIntune.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138704iBC1D1058DB5BCDC0%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_6.png%22%20title%3D%22clipboard_image_6.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20backend%2C%20it%20resets%20the%20%3CSTRONG%3EDisableDualScan%3C%2FSTRONG%3E%20registry%20from%20%3CSTRONG%3E1%3C%2FSTRONG%3E%20to%20%3CSTRONG%3E0%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20502px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138705i734664F19839CE0E%2Fimage-dimensions%2F502x128%3Fv%3D1.0%22%20width%3D%22502%22%20height%3D%22128%22%20alt%3D%22clipboard_image_7.png%22%20title%3D%22clipboard_image_7.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20494px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138706i9F6E5728D830B484%2Fimage-dimensions%2F494x162%3Fv%3D1.0%22%20width%3D%22494%22%20height%3D%22162%22%20alt%3D%22clipboard_image_8.png%22%20title%3D%22clipboard_image_8.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThis%20can%20also%20be%20seen%20in%20the%20Local%20Policy%20%3CEM%3E%3CU%3EDo%20not%20allow%20update%20deferral%20policies%20to%20cause%20scan%20against%20Windows%20Update%3C%2FU%3E%20%3C%2FEM%3Ewhich%20changes%20from%20%3CSTRONG%3EEnabled%3C%2FSTRONG%3E%20to%20%3CSTRONG%3EDisabled%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20608px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138707iE7012766F7EB4204%2Fimage-dimensions%2F608x67%3Fv%3D1.0%22%20width%3D%22608%22%20height%3D%2267%22%20alt%3D%22clipboard_image_9.png%22%20title%3D%22clipboard_image_9.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20601px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138708i52C3975861EC7471%2Fimage-dimensions%2F601x80%3Fv%3D1.0%22%20width%3D%22601%22%20height%3D%2280%22%20alt%3D%22clipboard_image_10.png%22%20title%3D%22clipboard_image_10.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20the%20famous%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fswisspfe%2F2018%2F04%2F13%2Fwin10-updates-store-gpos-dualscandisabled-sup-wsus%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDual%20Scan%20policy%3C%2FA%3E%20you%20may%20have%20experienced%20in%20the%20past.%20In%20this%20state%20if%20you%20click%20on%20Check%20for%20updates%2C%20your%20device%20will%20directly%20contact%20Microsoft%20Update%20and%20download%20and%20install%20any%20applicable%20updates.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138709i880F97C1699333A0%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_11.png%22%20title%3D%22clipboard_image_11.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3A%20%3CEM%3EIf%20you%20deployed%20the%20device%20configuration%20policy%20to%20force%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fpolicy-csp-controlpolicyconflict%23controlpolicyconflict-mdmwinsovergp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CEM%3E%20MDM%20over%20GPO%3C%2FEM%3E%3C%2FA%3E%3CEM%3E%20you%20won%E2%80%99t%20notice%20any%20change%20against%20the%20dual%20scan%20registry%20or%20group%20policy%20which%20will%20be%20blocked.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-228202488%22%20id%3D%22toc-hId-228202488%22%3EIntune%20%E2%80%93%20Software%20Update%20Policies%3C%2FH2%3E%0A%3CP%3EYou%20may%20be%20interested%20to%20delay%20the%20monthly%20quality%20updates%20by%207%20days%20and%20the%20feature%20updates%20by%2030%20days.%3C%2FP%3E%0A%3CP%3EFor%20updates%20management%2C%20we%20need%20to%20create%20Intune%20Software%20Update%20Policies%20and%20deploy%20them%20as%20rings.%20This%20will%20implement%20the%20WUfB%20polices%20and%20will%20control%20the%20behavior%20by%20applying%20any%20deferrals%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ELaunch%20%3CA%20href%3D%22https%3A%2F%2Fdevicemanagement.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdevicemanagement.microsoft.com%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EClick%20%3CSTRONG%3ESoftware%20Updates%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EWindows%2010%20Update%20Rings%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138712i2A5A90C0968DD56A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_12.png%22%20title%3D%22clipboard_image_12.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ECreate%20an%20update%20ring%20to%20meet%20the%20organization%20requirements.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIts%20recommended%20to%20create%20multiple%20rings%20for%20deployment%20as%20you%20would%20typically%20do%20with%20ConfigMgr%20starting%20with%20a%20group%20of%20testers%20and%20then%20increasing%20the%20number%20of%20devices%20in%20each%20ring.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20563px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138711i3E79291861DA851D%2Fimage-dimensions%2F563x522%3Fv%3D1.0%22%20width%3D%22563%22%20height%3D%22522%22%20alt%3D%22clipboard_image_13.png%22%20title%3D%22clipboard_image_13.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EDon%E2%80%99t%20forget%20to%20deploy%2Fassign%20each%20ring%20to%20a%20target%20group.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138710iFA67EBE8A697EB6C%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_14.png%22%20title%3D%22clipboard_image_14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EOn%20the%20target%20devices%2C%20you%20will%20see%20the%20WUfB%20polices%20in%20the%20%3CSTRONG%3ESettings%20App%3C%2FSTRONG%3E%20under%20%3CSTRONG%3EWindows%20Update%3C%2FSTRONG%3E%20by%20clicking%20%3CSTRONG%3E%3CEM%3EView%20configured%20update%20policies%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138713iB8F00E361FB38C6A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_15.png%22%20title%3D%22clipboard_image_15.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138714i19AEDB8A0696F472%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_16.png%22%20title%3D%22clipboard_image_16.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EDepending%20on%20the%20WUfB%20policies%20configuration%2C%20the%20device%20can%20automatically%20start%20downloading%20and%20installing%20updates%20to%20the%20device.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20632px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138715iDA2A890676934A9E%2Fimage-dimensions%2F632x245%3Fv%3D1.0%22%20width%3D%22632%22%20height%3D%22245%22%20alt%3D%22clipboard_image_17.png%22%20title%3D%22clipboard_image_17.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1971012823%22%20id%3D%22toc-hId-1971012823%22%3EWhat%20about%20Office%20365%20Updates%3F%3C%2FH2%3E%0A%3CP%3EThese%20updates%20are%20still%20managed%20by%20ConfigMgr.%20You%20have%20the%20choice%20to%20choose%20between%20ConfigMgr%20or%20Intune%2C%20for%20guidance%2C%20refer%20this%20link%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FCore-Infrastructure-and-Security%2FCo-Management-of-Office-Click-to-Run-apps-Workload%2Fba-p%2F871090%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ECo-Management%20of%20Office%20Click-to-Run%20apps%20Workload%20%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--581144138%22%20id%3D%22toc-hId--581144138%22%3EHow%20about%203%3CSUP%3Erd%3C%2FSUP%3E%20Party%20Updates%3F%3C%2FH2%3E%0A%3CP%3EThe%20third-party%20updates%20can%20still%20be%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsccm%2Fsum%2Fdeploy-use%2Fthird-party-software-updates%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emanaged%20and%20deployed%3C%2FA%3E%20by%20ConfigMgr.%20Since%20these%20updates%20are%20not%20available%20via%20Microsoft%20Updates%2C%20for%20internet%20facing%20devices%20you%20need%20to%20additionally%20deploy%20them%20to%20CMG%2FCloud-DP%2FInternet%20facing%20DP.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1161666197%22%20id%3D%22toc-hId-1161666197%22%3EMonitoring%3C%2FH2%3E%0A%3CP%3ESoftware%20Update%20compliance%20reports%20in%20ConfigMgr%20will%20report%20the%20Microsoft%20Updates%20as%20%3CU%3ENot%20Required%3C%2FU%3E%20for%20devices%20which%20have%20moved%20the%20Co-Management%20slider%20to%20Intune.%3C%2FP%3E%0A%3CP%3EAn%20exception%20to%20this%20behavior%20is%20for%20the%20%3CSTRONG%3EOffice%20365%20updates%3C%2FSTRONG%3E%20and%20%3CSTRONG%3E3%3CSUP%3Erd%3C%2FSUP%3E%20party%20updates%3C%2FSTRONG%3E%20which%20will%20continue%20to%20report%20their%20compliance%20to%20ConfigMgr.%3C%2FP%3E%0A%3CP%3EIntegrate%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsccm%2Fdesktop-analytics%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDesktop%20Analytics%3C%2FA%3E%20with%20ConfigMgr%20for%20capturing%20updates%20compliance%20of%20Microsoft%20Updates%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20639px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138716i0CF80086A705A6A3%2Fimage-dimensions%2F639x174%3Fv%3D1.0%22%20width%3D%22639%22%20height%3D%22174%22%20alt%3D%22clipboard_image_18.png%22%20title%3D%22clipboard_image_18.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThanks%2C%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EArnab%20Mitra%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-922378%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20post%20is%20about%20co-managing%20the%20Windows%20Update%20policies%20workload%20between%20Configuration%20Manager%20and%20Intune.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-922378%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EArnabMitra%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

This post is about co-managing the Windows Update policies workload between Configuration Manager and Intune.

 

Overview

Organizations today are looking for an integrated endpoint management platform which can ensure all devices whether owned by the business or personally owned stay secure, are managed and always up to date.

This demands the most secure desktop and mobile experiences without compromising user flexibility. Configuration Manager Co-Management opens the gateway to interconnect the investments made on-premise while attaching it with the power of modern cloud-based solutions like Microsoft 365 & unlock its full potential.

Configuration Manager supports managing internet based devices via the CMG/IBCM (if installed) and a co-managed device gives you the flexibility to use the solution that works best for your organization by allowing it to be managed concurrently with both Configuration Manager and Intune.

Lean more about co-management here: http://aka.ms/comanagement

 

 

Scenario

Your organization is interested to offload the Windows Update policies to Intune, some of the driving factors could be

  • Removing dependency of ConfigMgr agent health.
  • Updates deployment outside corporate network.
  • Always stay up to date matching corporate standards.

 

Background

When we talk about moving the Windows Update policies workload to Intune, we are leveraging the Windows Update for Business policies, also known as WUfB.

You may be wondering if that’s the case then why not use the Group Policies? This is exactly what Intune is doing, it’s managing the WUfB policies by removing dependencies of GPO & On-Premises infrastructure.

The following diagram provides a conceptual overview of how this works:

clipboard_image_0.png

The diagram can be roughly divided into three areas:

  • The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram).
  • The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram).
  • The device gets updates from Microsoft Update using client/server protocol, but only downloads and installs updates that are both applicable to the device and approved by IT (right portion of the diagram).

Reference: https://docs.microsoft.com/en-us/windows/client-management/mdm/device-update-management

 

 

Configuration

You begin with moving the Windows Update policies workload slider to either Pilot/Intune

clipboard_image_1.png

Starting ConfigMgr 1906 you can stage a workload to a collection.

clipboard_image_2.png

This triggers a policy update on the client side and increments the Co-management capabilities counter from 1 to 17.

clipboard_image_3.pngclipboard_image_4.png

You can verify this in the CoManagementHander.log

clipboard_image_5.png

Upon a Software Update Scan Cycle, WUAHandler.log also acknowledges the handover to MDM/Intune.

clipboard_image_6.png

 

In the backend, it resets the DisableDualScan registry from 1 to 0

clipboard_image_7.png

 

clipboard_image_8.png

This can also be seen in the Local Policy Do not allow update deferral policies to cause scan against Windows Update which changes from Enabled to Disabled

clipboard_image_9.pngclipboard_image_10.png

 

This is the famous Dual Scan policy you may have experienced in the past. In this state if you click on Check for updates, your device will directly contact Microsoft Update and download and install any applicable updates.

clipboard_image_11.png

 

Note: If you deployed the device configuration policy to force MDM over GPO you won’t notice any change against the dual scan registry or group policy which will be blocked.

 

Intune – Software Update Policies

You may be interested to delay the monthly quality updates by 7 days and the feature updates by 30 days.

For updates management, we need to create Intune Software Update Policies and deploy them as rings. This will implement the WUfB polices and will control the behavior by applying any deferrals

clipboard_image_12.png

  • Create an update ring to meet the organization requirements.

Its recommended to create multiple rings for deployment as you would typically do with ConfigMgr starting with a group of testers and then increasing the number of devices in each ring.

clipboard_image_13.png

Don’t forget to deploy/assign each ring to a target group.

clipboard_image_14.png

On the target devices, you will see the WUfB polices in the Settings App under Windows Update by clicking View configured update policies

clipboard_image_15.pngclipboard_image_16.png

Depending on the WUfB policies configuration, the device can automatically start downloading and installing updates to the device.

clipboard_image_17.png

 

 

What about Office 365 Updates?

These updates are still managed by ConfigMgr. You have the choice to choose between ConfigMgr or Intune, for guidance, refer this link: ​​​Co-Management of Office Click-to-Run apps Workload​

 

How about 3rd Party Updates?

The third-party updates can still be managed and deployed by ConfigMgr. Since these updates are not available via Microsoft Updates, for internet facing devices you need to additionally deploy them to CMG/Cloud-DP/Internet facing DP.

 

Monitoring

Software Update compliance reports in ConfigMgr will report the Microsoft Updates as Not Required for devices which have moved the Co-Management slider to Intune.

An exception to this behavior is for the Office 365 updates and 3rd party updates which will continue to report their compliance to ConfigMgr.

Integrate Desktop Analytics with ConfigMgr for capturing updates compliance of Microsoft Updates

clipboard_image_18.png

 

 

 

 

Thanks,

Arnab Mitra