Support Tip: Troubleshooting Windows 10 Update Ring Policies
Published Jun 21 2019 09:02 AM 86.7K Views
Microsoft

Hi everyone, here's another great post by Intune Support Escalation Engineer Mingzhe Li where she talks about how to verify if Intune Software Update Ring policies have been deployed to target clients, as well as offering up some great troubleshooting tips for the same. Be sure you check it out, and if you have any feedback for Mingzhe you can post it in the comments section below.

 

=====

 

When deploying Windows Update Ring policies to Windows 10 devices using Microsoft Intune, if you ever encounter an issue it’s important that you first determine whether the issue is Intune-related or Windows-related so that you can focus your troubleshooting efforts in the right place. As part of that, a key question is whether the Intune policy has been successfully deployed to the target device. Before I jump into that however, let's first get a basic understanding of Windows Update Rings and what their purpose is.

 

Understanding Windows Update Ring Policies

Sometimes there can be a misunderstanding that Intune provides a cloud-based update service like WSUS from which clients can download updates and hotfixes. This is not entirely accurate however, as Windows Update Ring policies only define an update strategy (e.g. block driver installation, set deferral period, set maintenance time, etc.), they don’t actually provide the update infrastructure itself. Think of it as being analogous to certain Group Policies for Windows Update deployed from your on-premises Active Directory. This means that you still need to use your existing update solution such as Windows Update or WSUS to obtain the actual updates.

 

NOTE You can find more information in Windows Update Rings here: https://docs.microsoft.com/en-us/intune/windows-update-for-business-configure.

 

Windows Update Ring policies make use of the Windows Policy CSP to configure the update policies on the Windows clients. Once Intune deploys the Windows Update Ring policy to an assigned device, Policy CSP will write the appropriate values to the Windows registry to make the policy take effect. So now that we know what these policies do, let’s look at how we can verify if the Windows Update Ring settings have been successfully applied.

 

Verifying Windows Update Ring Settings on a Target Device

Let’s begin by assuming that you have deployed a Windows Update Ring policy with the settings shown below:

 

101922-jch-1.png

How do we confirm that the settings have been applied to the targeted device? There are a few different ways we can do that. Typically the status in the portal is sufficient but others are explained should you find them helpful when troubleshooting related issues.

 

1. Check the policy deployment status in the Intune Portal

The first thing you should always do is check the status of the policy in the Intune Portal:

 

101922-jch-2.png

 

101922-jch-3.png

As you can see above, everything looks good and is reporting a success. However, if there are issues or you simply want confirmation, you can also verify the settings on the target device itself and we’ll go through how to do that below.

 

2. Verify that update policies are managed by MDM

On the targeted Windows 10 device, go to Settings -> Updates and Security -> Windows Update -> Advanced Options:

 

101922-jch-4.png

 

Click View configured update policies, then verify that the policy type is Mobile Device Management:

 

101922-jch-5.png

-----

101922-jch-6.png

This confirms that the update policies are configured by our MDM solution, which in this case is Microsoft Intune. However, it's possible that update policy is coming from the on-premises Active Directory, in which case we would see Group Policy as the policy type:

101922-jch-7.png

If this is the case, it won’t matter what update policy you configure in Intune, the applied policy and the observed behavior is still going to be whatever is configured via Active Directory.

 

3. Verify that the Registry keys are properly configured

If the Windows Update Ring policies are successfully deployed by Intune to the target device, you will be able to see those settings in the Registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update. Here’s an example from a client running in my lab:

 

101922-jch-8.png

 

These values are configured by the Windows Policy CSP so you can verify that the values of the keys match the settings specified in your Update Ring policy. For more information on each of these see https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update.

 

4. Check the MDM diagnostics report

Another option is to capture and view an MDM diagnostic report from a targeted device and see if you can find the Windows Update Ring policy in it. If you can see the policy settings in the report, this is another indication that the policy was successfully deployed. The Microsoft Helps video below explains how to capture an MDM diagnostic report from a Windows device.

 

 

TIP: The primary purpose of the MDM diagnostic report is to assist Microsoft Support when troubleshooting issues. If you open a support case with Microsoft on Intune and the problem involves Windows clients, it’s always a good idea to gather this report and include it in your support request.

 

Troubleshooting Issues Relating to Windows Update Ring Policy

At this point we have a pretty good idea how to confirm that our Windows Update Ring policy is being successfully deployed, but what do you do if they’re not? Here are a few things to check:

 

  • Is the device properly enrolled into Microsoft Intune? If not, you’ll need to address that before troubleshooting anything specific to the policy.
  • Is there an active network connection on the device? If the device is in airplane mode, or it’s turned off, or if the user has the device in a location with no service, the policy will not apply until network connectivity is established.
  • Have you deployed the Windows Update Ring policy to the correct user/device group? Be sure to double check that the correct user/device really is in that group. This is an easy one that often gets overlooked.
  • Does the deployment of the entire policy fail, or is it that only certain settings are not being applied? If you find yourself faced with a scenario like this where only some policy settings are failing, below are some more things you can check.

The first thing to do is verify that the setting is supported by the Windows version of the target device. To give you an example, I recently worked with a customer who deployed a Windows Update Ring policy but there was an error in the Intune Portal for Block user from scanning for Windows updates:

 

101922-jch-9.png

We started by checking to see what exactly the setting did and what the version requirements were. With a quick check of the doc here, we saw that this is implemented by Policy CSP Update/SetDisableUXWUAccess:

 

101922-jch-10.png

 

By further checking the Windows reference documentation at https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-setdisableux..., we could see that the failed setting is only supported for Windows 1809 and above:

 

101922-jch-11.png

          101922-jch-12.png

Armed with that information, we then verified that the effected devices were running Windows 1803 and could then confirm that the issue disappeared once the device was upgraded to 1809.

 

As was the case here, if you can see that the Windows update policy type is set to Mobile Device Management and the registry key values are correct, it’s usually safe to assume that the problem is not directly related to Intune, but more likely an issue with the Windows client or an associated configuration in the environment. This means you need to start looking in other areas like:

 

  • The Windows OS version on the target device.
  • If and how Windows Update is configured.
  • If and how WSUS is configured.

These are beyond the scope of this article, however a good starting point is to check the Windowsupdate.log. More information on that can be found here: https://blogs.technet.microsoft.com/charlesa_us/2015/08/06/windows-10-windowsupdate-log-and-how-to-v.... Another good resource is the CBS logs under C:\Windows\logs\CBS.

 

For more information on troubleshooting Windows Update and WSUS, see the following:

 

https://support.microsoft.com/en-us/help/10164/fix-windows-update-errors

https://support.microsoft.com/en-us/help/4027322/windows-update-troubleshooter

https://support.microsoft.com/en-us/help/4025764/how-to-troubleshoot-wsus-connection-failures

 

Mingzhe Li

Support Escalation Engineer

Microsoft Intune Support Team

16 Comments
Version history
Last update:
‎Jun 21 2019 09:10 AM
Updated by: