Hi everyone, here's another great post by Intune Support Escalation Engineer Mingzhe Li where she talks about how to verify if Intune Software Update Ring policies have been deployed to target clients, as well as offering up some great troubleshooting tips for the same. Be sure you check it out, and if you have any feedback for Mingzhe you can post it in the comments section below.
When deploying Windows Update Ring policies to Windows 10 devices using Microsoft Intune, if you ever encounter an issue it’s important that you first determine whether the issue is Intune-related or Windows-related so that you can focus your troubleshooting efforts in the right place. As part of that, a key question is whether the Intune policy has been successfully deployed to the target device. Before I jump into that however, let's first get a basic understanding of Windows Update Rings and what their purpose is.
Understanding Windows Update Ring Policies
Sometimes there can be a misunderstanding that Intune provides a cloud-based update service like WSUS from which clients can download updates and hotfixes. This is not entirely accurate however, as Windows Update Ring policies only define an update strategy (e.g. block driver installation, set deferral period, set maintenance time, etc.), they don’t actually provide the update infrastructure itself. Think of it as being analogous to certain Group Policies for Windows Update deployed from your on-premises Active Directory. This means that you still need to use your existing update solution such as Windows Update or WSUS to obtain the actual updates.
NOTE You can find more information in Windows Update Rings here: https://docs.microsoft.com/en-us/intune/windows-update-for-business-configure.
Windows Update Ring policies make use of the Windows Policy CSP to configure the update policies on the Windows clients. Once Intune deploys the Windows Update Ring policy to an assigned device, Policy CSP will write the appropriate values to the Windows registry to make the policy take effect. So now that we know what these policies do, let’s look at how we can verify if the Windows Update Ring settings have been successfully applied.
Verifying Windows Update Ring Settings on a Target Device
Let’s begin by assuming that you have deployed a Windows Update Ring policy with the settings shown below:
How do we confirm that the settings have been applied to the targeted device? There are a few different ways we can do that. Typically the status in the portal is sufficient but others are explained should you find them helpful when troubleshooting related issues.
1. Check the policy deployment status in the Intune Portal
The first thing you should always do is check the status of the policy in the Intune Portal:
As you can see above, everything looks good and is reporting a success. However, if there are issues or you simply want confirmation, you can also verify the settings on the target device itself and we’ll go through how to do that below.
2. Verify that update policies are managed by MDM
On the targeted Windows 10 device, go to Settings -> Updates and Security -> Windows Update -> Advanced Options:
Click View configured update policies, then verify that the policy type is Mobile Device Management:
This confirms that the update policies are configured by our MDM solution, which in this case is Microsoft Intune. However, it's possible that update policy is coming from the on-premises Active Directory, in which case we would see Group Policy as the policy type:
If this is the case, it won’t matter what update policy you configure in Intune, the applied policy and the observed behavior is still going to be whatever is configured via Active Directory.
3. Verify that the Registry keys are properly configured
If the Windows Update Ring policies are successfully deployed by Intune to the target device, you will be able to see those settings in the Registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update. Here’s an example from a client running in my lab:
These values are configured by the Windows Policy CSP so you can verify that the values of the keys match the settings specified in your Update Ring policy. For more information on each of these see https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update.
4. Check the MDM diagnostics report
Another option is to capture and view an MDM diagnostic report from a targeted device and see if you can find the Windows Update Ring policy in it. If you can see the policy settings in the report, this is another indication that the policy was successfully deployed. The Microsoft Helps video below explains how to capture an MDM diagnostic report from a Windows device.
TIP: The primary purpose of the MDM diagnostic report is to assist Microsoft Support when troubleshooting issues. If you open a support case with Microsoft on Intune and the problem involves Windows clients, it’s always a good idea to gather this report and include it in your support request.
Troubleshooting Issues Relating to Windows Update Ring Policy
At this point we have a pretty good idea how to confirm that our Windows Update Ring policy is being successfully deployed, but what do you do if they’re not? Here are a few things to check:
The first thing to do is verify that the setting is supported by the Windows version of the target device. To give you an example, I recently worked with a customer who deployed a Windows Update Ring policy but there was an error in the Intune Portal for Block user from scanning for Windows updates:
We started by checking to see what exactly the setting did and what the version requirements were. With a quick check of the doc here, we saw that this is implemented by Policy CSP Update/SetDisableUXWUAccess:
By further checking the Windows reference documentation at https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-setdisableux..., we could see that the failed setting is only supported for Windows 1809 and above:
Armed with that information, we then verified that the effected devices were running Windows 1803 and could then confirm that the issue disappeared once the device was upgraded to 1809.
As was the case here, if you can see that the Windows update policy type is set to Mobile Device Management and the registry key values are correct, it’s usually safe to assume that the problem is not directly related to Intune, but more likely an issue with the Windows client or an associated configuration in the environment. This means you need to start looking in other areas like:
These are beyond the scope of this article, however a good starting point is to check the Windowsupdate.log. More information on that can be found here: https://blogs.technet.microsoft.com/charlesa_us/2015/08/06/windows-10-windowsupdate-log-and-how-to-v.... Another good resource is the CBS logs under C:\Windows\logs\CBS.
For more information on troubleshooting Windows Update and WSUS, see the following:
Support Escalation Engineer
Microsoft Intune Support Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.