Event banner
When is my device going to update?
Event Ended
Monday, Oct 24, 2022, 10:00 AM PDTEvent details
Have you ever wondered when the device is going to scan, download, install, and/or reboot? About what logic goes into the “intelligent” decisions around when to update? In this session we are going to take you right to the source (aka the decision engine code) and unpack just some of the different things we look at when determining when to scan, download, and install with the developers who wrote the code themselves.
This session is part of the Microsoft Technical Takeoff: Windows + Intune. Add it to your calendar, RSVP for event reminders, and post your questions and comments below! This session will also be recorded and available on demand shortly after conclusion of the live event. |
Heather_Poulsen
Updated Dec 27, 2024
84 Comments
Sort By
- EricOhlinIron Contributor
AriaUpdated - Many WUfB guides list "Share Usage Data - Required" CSP as a prerequisite. However, I believe this setting is identical to "System/AllowTelemetry."
Would you please confirm? Thank you- AriaUpdated
Microsoft
Hi there, while client policies do not require any telemetry, the Windows Update for Business Deployment Service does require that you allow for Cloud Processing which is different than the telemetry level. Hope this helps! 🙂- EricOhlinIron Contributor
Hey AriaUpdated, Thank you for the response. 🙂 However, I'm still unclear on my original question. I also read in the documentation that for Update Rings to function, you must have telemetry enabled.
I have "Allow WUfB Cloud Processing" = EnabledMy question is related to this prerequisite for Update Rings.
Have Telemetry turned on, with a minimum setting of Required.
Configure Telemetry as part of a Device Restriction policy for Windows 10 or later. In the device restriction profile, under Reporting and Telemetry, configure the Share usage data with a minimum value of Required. Values of Enhanced (1903 and earlier) or Optional are also supported.
What is the difference between setting Telemetry through Device Restriction > Share Usage Data and setting it through Settings Catalog > System > Allow Telemetry (This is the screenshot in my original post.)
Are the two settings the same thing? If you set them both, do they conflict with each other?
Many, many thanks.
- Heather_Poulsen
Community Manager
How did we do on our Technical Takeoff Day 1 sessions? Please take this 2-minute survey and let us know your thoughts on this event.
- Lucas_ChappelleOccasional ReaderWhat is the algorithm for Wufb updates via Intune? I guess my question is, how long does a device have to be online before it gets updates? I've been testing this in my environment and I've seen some devices get hit with updates almost 10-30 minutes after logging online, and others can be online all day and get hit with updates at 10pm (10+ hours later). I guess I just get worried when I have a deadline, for example, Group A to get hit with updates 2 days after patch tuesday and halfway through the day only half of that group actually received updates.
- David_Guyer
Microsoft
The scheduling is driven by the Windows Update client on the device. In general, devices scan about once every 24 hours... but there are also checks in place so that if the device is off and misses a 24 hour scheduled scan, it can do so shortly after logging in, or booting up. So, once an update becomes available to devices, it can take up to 24 hours to start updating, even with the deadline in place. And, device activity is a big driver of overall organizational update success... devices that are on intermittently are very difficult to update on time. Much work has gone into making the Windows Update client as robust as possible, even in these situations, but sometimes we can't overcome end user behavior!
- thejameCopper ContributorLong question, saved it for after the session: Is there any thought of having an option of delaying updates (both security and general updates) and have a pre-production / production granularity via Intune? Example: Microsoft releases an update today for general consumption. Desire is to delay by X days for Collection A of workstations, delay by Y days for Collection B. Once the delay is past, then download and install the update for Collection A. And then have the toast notification built into it for pending reboot (we currently use a script that checks pending reboot > 7, then toast) Purpose is that we are paranoid and do not enjoy "cutting edge patching". We've seen Microsoft release a patch and then pull it completely a few days afterwards. This signals that the patch was faulty or negatively affected users, which reduces our confidence in installing the patch immediately after release. So desire of granular control of patching. When a zero day hits, Microsoft releases KB, we can go to the Intune portal and manually approve and trigger the update and bypassing the delay, and then get a report when KB __________ has been installed on _________ workstations. ___% of workstations have the patch applied. #askingtoomuch
- David_Guyer
Microsoft
That is exactly the approach we recommend. Today, in Intune, you would do this by creating multiple Update Rings policies... and in each one you use the Quality Update deferral that sets that delay up, and assign the set of devices to get the update in that timeframe. For feature updates, you can also create multiple policies with different start dates and device assignments to be able to verify the quality of the update with a limited and specific group of devices. HTH!
- EricOhlinIron ContributorHow does WUfB handle out-of-band patches? For example, an OOB CU (or non-CU) patch is released on the 25th of the month. How does WUfB handle this delivery? Thanks!
- AriaUpdated
Microsoft
So all security or critically marked quality updates get deployed to WUfB devices. This means all patch Tuesday updates as well as any security OOBs are deployed to WUfB devices. Note, the OOBs will respect the same quality update deferrals / pause policies that you have configured.- EricOhlinIron ContributorThank you @Aria! 🙂
- Thanks!!!
- JoeLentzCopper ContributorIt would be awesome if WUFB deployment service is aware of Windows 11 device upgrade eligibility so it knows what FU it can deploy to the device. From my understanding the "Upgrade Windows 10 devices to Latest Windows 11 release" WUFB policy option will not work the way that it reads because the WUFB DS cannot make those intelligent decisions for each device. I was attempting to rely only on the WU profile and to NOT use a FU profile so devices would automatically do FUs based on the deferral period and their Win 11 compatibility. I was isntead advised to create multiple FU profile and target them to the device. But since my rings are mixed with compatible and non-compatible devices which can quickly becomes a cumbersome task. Currently I'm targeting the rings with a Windows 11 FU target and after that's had time for them to upgrade, I change it to the latest Windows 10 version so the non-compatible devices will upgrade, which is not ideal.
- David_Guyer
Microsoft
Hi Joseph, You are correct that we don't currently have a good way to automatically upgrade compatible devices to Win11, and then give a Win10 feature update to devices not compatible with Win11. The recommendation is to use one of the WIn11 readiness reports, and create new AAD groups, for example one for "not Win11 compatible". Then, in your Feature Update policies, you can create a Win11 targeted update, and also assign the "not Win11 compatible" group as an Exclusion group... to remove those devices from the primary set you've assigned. You can do the reverse in a Win10 policy. We are looking into how we can make this easier, but hopefully these ideas will get you started!- JoeLentzCopper ContributorThank you for the reply, I look forward to it!
- Nicol HanekomBrass ContributorHow can we control when updates install when building a device using autopilot? We are finding that updates install immediately after autopilot completes, takes a long time and blocks any assigned apps from installing, even though the update ring policy is set to only install updates after hours.
- Rob de RoosIron ContributorHave you targeted to Users or Devices?
- David_Guyer
Microsoft
Today, there isn't a good way to do that, other than keeping your images as up to date as possible. Windows update should wait about 3 hours after completing OOBE for other tasks and for the user to get started. And should be looking for user activity to throttle background downloads and installs. Since these updates usually include security fixes, it is important to get any applicable and missing Windows Updates installed quickly.
- AdrianV365Copper Contributorsorry if this may be a remedial question: occasionally external Nvidia graphics card requires standalone driver update to function following Microsoft update. Where can I look to automatically mitigate this?
- KevinMineweaser_MSFT
Microsoft
Hi Adrian,
The path forward for scenarios where specific drivers need validation and targeting by IT Pro's will be the new driver deployment service. You can find more information on the first iteration of this preview here: Deployment service for driver updates public preview coming soon - Microsoft Tech Community
HTH,
-Kevin
- Jeffrey TwaskasCopper ContributorWe are having some issues with Kiosks and VDI’s where we want them to scan, download, install and restart on very specific schedules (e.g. overnight on the weekends). Do you have any blog posts or suggestions on how we can do that?
- AriaUpdated
Microsoft
Why yes, check out this blog and the kiosk section: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-windows-update-policies-you-should-set-and-why/ba-p/3270914 Hope it helps! 🙂