Event banner
Event details
Hi, We have some Cloud PCs that are not used often or may not get used at all. They are all in Autopatch. These have issues getting Windows updates. We've seen some get updates once the users login. Is this a known issue? Thank you
Thanks for participating in today's session of AMA: Managing Windows updates! For reference, the panel covered your question at 45:45.
- Michael_Cureton
Microsoft
- Hi Michael, The versions are 10.0.19044 and 10.0.22000.
- Will there be mechanisms built in top WuFb and autopatch to be able to easily pull a Kb from deployment that causes an unforeseen issue in the environment? we can do it easily in WSUS but have been told this is not easy in these products by design? I know we should be able to test in advance releases but things happen 🙂 in a large broad environment? thanks!
- Jason_SandysAlso, keep in mind here that granular management of updates as was done in WSUS 10+ years ago is more or less an OBE process given the use of monthly cumulative updates; i.e., granular KBs no longer exist to be approved (or declined). For Windows, it's an all or nothing proposition now and has been since Windows was released. You can entirely pause the delivery all quality updates (which is for most intents and purposes) the monthly Windows CU and this is the primary option. If there is a specific "fix" within a CU that is causing you an issue, you can generally disable these using Known-issue rollback: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/known-issue-rollback-helping-you-keep-windows-devices-protected/ba-p/2176831. The bottom-line though is that granular management of updates is a thing of the distant past even in WSUS as the update model itself has changed.
- i appreciate the responses and added guidance to the known issue rollback capabilities. for our admin, the visibility is still much more visible and granular in WSUS (CM) than Intune and WUfB still and hoping it will continue to evolve...as well as the gap in the long awaited driver updates visibility and maturity we are hoping are still coming as promised a year ago. (Impatient...i know:)) We will consider this in decision making and be aware it is only for non-security updates. The updates from July this year that were problematic with Bitlocker would have been an issue that could not be rolled back as i understand it, had a test device sample size not been large enough to determine if it impacted our assets. i also know this scenario is usual rare ...1-2 times per year for us. Is there a link for these roll backs or status that both acknowledges real time when they happen and advising status realtime? thanks again for the information
Thanks for participating in today's session of AMA: Managing Windows updates! For reference, the panel covered your question at 39:15.
- I've tried to go to the policy conflict report, but I don't seem to have the 'Autopatch' blade in Intune like it's mentioned in the doc Go to the Microsoft Intune admin center. Navigate to Windows Autopatch > Policy health > Affected devices tab. Select View alert to see the alert details. Can you please provide the url for the report to be sure I'm looking at the right place? Thks
Thanks for participating in today's session of AMA: Managing Windows updates! For reference, the panel covered your question at 35:55.
- Forget about my question. Didn't know we had to enroll into Autopatch via Tenant admin 1st to see the blade
TylerPlesetzHere is the link to the Policy Health report as mentioned in the session: https://aka.ms/autopatchpolicyhealth
Hi!
Thanks for the opportunity to get in touch on the Windows Update topic!
I'm currently managing a fleet of 1000+ Dell Notebooks using Microsoft Intune. Our devices are hybrid joined and we're switching from WSUS to Autopatch. At the moment I'm implementing a mix of Autopatch and the Dell Command Update tool that can be controlled by ProActive Remediations to search and scan for driver/firmware/bios updates. TBH it's a huge pain and I'm starting to think if the drivers provided by Windows Update are "good enough". Dell Command Update seems to have newer versions of drivers, firmware and especially bios though. Is this going to change in the future and drivers might get more up-to-date?
Dell seems to be working together closely with Microsoft and we really appreciate Microsoft implementing new features with Dell as a "pioneer". Things like pushing BIOS settings to our devices using a simple Intune config profile and the Dell Command Endpoint Configure for Microsoft Intune tool are a really good step in the right direction. Are there any plans to bring together Windows Update and Dell Command Update even closer in the future? BIOS updates seems to be available on Dell tools way sooner than they are in Windows Update and the updating process itself seems more stable when using the Dell tool. ProActive Remediations can't be used in this scenario because the time of execution is way too random and never as set in the script frequency. Are there any changes coming to Windows Update considerung BIOS updates? Getting them sooner, making the update process more reliable? Maybe even manage bios version "like apps" using Autopatch?
Thanks a lot for your great work, keep it up! 🙂
- Ryan_Williams
More details to this question:
Microsoft performs additional verification during the flighting process of drivers before they are recommended through the service. This helps ensure that drivers do not cause issues with devices after taking the update.
A few days after a publisher submits a driver to be published on Windows Update, we make the driver available through the service as an "Other" driver. This allows critical updates to be available through the service as soon as possible and allows admins to deploy these updates with a manual approval. Once flighting completes, the driver is made available as "Recommended" driver and can be automatically approved under an automatic policy.
Thanks for participating in today's session of AMA: Managing Windows updates! For reference, the panel covered your question at 22:20.
Thanks for answering my question!
May I ask a (little shorter 😉 ) Follow-Up question? Are the Teams working on the Microsoft Defender Vulnerability Management development syncing with the teams working on Windows Update driver deployment? As an Intune admin I'll keep on getting reports of missing driver, firmware and bios updates from my security colleagues (which is great, kudos to Defender). Would be even greater if Autopatch has all the updates available that Defender is asking for. Is this a scenario Microsoft is or will be providing in the future? Like "Defender and Intune using the same database for the newest / most secure version of drivers, firmwares and bios updates"?
Love to the talk. Thanks a lot!
- Jason_SandysKeep in mind that most drivers aren't provided by Microsoft. Most drivers in WUfB are published and maintained by the vendors/OEMs so closing the described gap here is entirely incumbent on the vendors/OEMs and thus really a question better posed to them.
- Can you showcase the policy conflict report and how you think we should use it to help fix conflict issue? If we're only using WUFB for now, do we need to do something or wait for the unification to be able to use it? Thks
Thanks for participating in today's session of AMA: Managing Windows updates! For reference, the panel covered your question at 18:05.
Don't be shy! This is a great forum to ask your questions about the latest features, but also to share information about use cases and scenarios you need to support. Post your questions now in the Comments.
- Any plans to extend the optional feature update to allow to enforce at a specific date? For example, allow the user to upgrade for 3weeks and if he/she hasn't, enforce. This is the last missing point to fully migrate feature upgrade to WUFB (we already do for CU) thks
Thanks for participating in today's session of AMA: Managing Windows updates! For reference, the panel covered your question at 14:45.
- For Devices in Intune, is there going to be an option to have the device check for updates? There's Update Windows Defender Security Intelligence, but not regular Windows Updates. It would be great to be able to kick off a manual Windows update scan from the device overview.
- Joe_Lurie
RuanITCJ Thanks for the question. If you haven't heard, we are working on a "Device Query" in Intune (much like SCCM's CMPivot) which will allow you to query a device and then take an action. So you can kick off a real-time scan and then update, or reboot, or whatever the action needed is...directly from the Intune admin center. For more information on Device Query, see here: Device query in Microsoft Intune | Microsoft Learn
- Jason_SandysCan you expand on the scenario you are trying to address here? A scan from the Settings app can be initiated by the end user. Is there something else you are looking for here?
- Kind of like how MECM has options for the local client we can force a client to pull a machine policy, check for Application Deployments, update user policy, evaluate Software Updates deployment, etc.... A sync won't necessarily force an update scan immediately.
- We're still heavily an on-prem shop and use WSUS and Group Policies to manage our updates for our workstations. (and servers) Is there anything new with WSUS and related Group Policies that we should be considering? Is there a future still for our approach? Appreciate all the goodness ya'll are moving forward! 😊
Thanks for participating in today's session of AMA: Managing Windows updates! For reference, the panel covered your question at 25:00.
- Jason_Sandys
Is there a reason you haven't begun looking to Windows cloud native (which includes management with Intune and WUfB/Autopatch). This is effectively the path forward for all orgs (where technically possible). with most/all on-prem solutions within the Microsoft stack being deprioritized.
- Managerial hesitance to move to cloud, but no lack of hesitance by the actual practitioners. 😊 I continue to push things forward as I can. I just hope I can before it's too late. Thanks for answering my question here and on the live AMA!
- What advice do you have for customers who want to move to newer management methods of windows updates but have complicated "known unknowns". For example, bandwidth issues with VPN split exclude tunnels, and complicated networking which may or may not allow East-West traffic. Previously WSUS/Configmgr you knew Client <-> DP/WSUS and could back off downloads quickly if too many clients started at the same time. What options are there to throttle if networking goes wrong?
Thanks for participating in today's session of AMA: Managing Windows updates! For reference, the panel covered your question at 15:50.
- TylerPlesetz
Hello Ken! Today, Delivery Optimization is a solution we have to help offload internet traffic by allowing devices to share update content with each other. Here is some of our docmentation around Delivery Optimization for more: https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization
If DO is unable to meet your needs, we'd love to hear about it!
