Windows Servicing Β· Modern Endpoint Guides
π Microsoft Intune
Windows Update for Business & Autopatch
Modern patch management from cloud β WUfB Update Rings for staged rollouts, Windows Autopatch for fully automated patching, and driver management via Intune β all without WSUS.
π Overview & Licensing
Two complementary approaches: WUfB Update Rings give you full control over deferral periods per ring. Windows Autopatch takes the management burden away β Microsoft automatically schedules updates across 4 groups based on service health data.
βοΈ WUfB Update Rings
- Manual ring structure (Pilot, UAT, Broad)
- Full control over deferral days
- Quality and Feature update control
- Available with Intune P1
- Requires IT management of ring membership
π€ Windows Autopatch
- Microsoft manages update scheduling automatically
- 4 predefined rings (Test β First β Fast β Broad)
- Intelligent rollout based on device health signals
- Auto-pause on failure signals
- Requires: Windows 10/11 Enterprise + Intune P1
| Feature | License |
|---|---|
| WUfB Update Rings (Quality/Driver) | Intune P1 |
| Feature Update Policies | Intune P1 |
| Windows Autopatch | Windows E3/E5 + Intune P1 |
| Update Compliance Reports (Azure Monitor) | Azure Log Analytics |
| Autopatch Groups (custom) | Windows E3+ |
βοΈ WUfB Update Rings
Best practice: create 3β4 rings with staggered deferral days. Each ring defers updates by a set number of days from Microsoft's release, giving time for the previous ring to validate.
π Recommended Ring Structure
π§ͺ Pilot
0
days deferral
IT staff, early adopters (2β5%)
π¬ UAT
7
days deferral
Power users, testers (5β10%)
π¦ Broad
21
days deferral
General employees (80%+)
π’ Critical
30
days deferral
Servers/VIP devices
βοΈ Key Update Ring Settings
| Setting | Pilot Ring | Broad Ring | Critical Ring |
|---|---|---|---|
| Quality update deferral | 0 days | 21 days | 30 days |
| Feature update deferral | 0 days | 60 days | 90 days |
| Active hours | 6amβ10pm | 8amβ6pm | 8amβ5pm |
| Restart grace period | 2 days | 5 days | 7 days |
| Auto-restart before deadline | Enabled | Enabled | Enabled |
| Deadline (quality) | 3 days | 7 days | 14 days |
π Feature Update Policies
π Feature Update Policy
- Pin devices to a specific Windows version (e.g., 23H2)
- Control upgrade timing independently from quality updates
- Defer feature updates up to 365 days
- Separate policy from Update Rings
- Works alongside safeguard holds (Microsoft blocks bad updates)
π‘οΈ Safeguard Holds
- Microsoft automatically blocks problematic updates for affected hardware
- Cannot be overridden in consumer channel
- Commercial organizations: can opt out via opt-out setting
- Monitor holds in Update Compliance or Windows Update for Business reports
π€ Windows Autopatch
Windows Autopatch takes over all quality (security) update scheduling. You don't set deferral days β Microsoft manages the rollout schedule based on device health telemetry and signals from earlier rings.
β Onboarding Steps
1οΈβ£ Verify prerequisites (Entra ID, Intune, Windows E3)
2οΈβ£ Enable Autopatch in Intune admin center β Windows Autopatch β Tenant enrollment
3οΈβ£ Complete readiness checks (Intune validates prerequisites)
4οΈβ£ Assign devices to Autopatch device registration group
5οΈβ£ Monitor deployment progress in Autopatch reports
π Prerequisites Check
- Windows 10 1809+ or Windows 11
- Microsoft Entra ID joined or Hybrid joined
- Intune enrolled and managed
- Windows Enterprise E3 or E5 license
- Microsoft 365 Apps for enterprise (for M365 app updates)
- No conflicting WUfB ring policies
π₯ Autopatch Groups & Deployment Rings
π Default Autopatch Deployment Rings
| Ring | % of Devices | Update Timing | Purpose |
|---|---|---|---|
| π§ͺ Test | 1% | Patch Tuesday (day 0) | Earliest validation |
| β‘ First | 9% | Patch Tuesday +1 day | Early adopters |
| π Fast | 20% | Patch Tuesday +6 days | Broad early validation |
| π Broad | 70% | Patch Tuesday +9 days | General population |
π¦ Custom Autopatch Groups
- Create named groups (e.g., "Finance", "Manufacturing")
- Each group has its own 4-ring deployment schedule
- Custom deferral offsets per ring within the group
- Assigned to Entra ID device groups
π What Autopatch Controls
- Windows quality (security) updates
- Microsoft 365 Apps updates
- Microsoft Edge updates
- Microsoft Teams updates
- Windows feature updates (optional)
- Driver updates (optional)
π¨οΈ Driver & Firmware Management
π Automatic Driver Management
- Intune can manage driver updates via WUfB
- Recommended: allow driver updates to follow quality update ring
- Option: "Automatic" β Microsoft approved drivers only
- Option: "Manual" β Admin approves each driver
- Available for Windows 10 2004+ and Windows 11
βοΈ Driver Policy in Intune
- Intune β Devices β Windows β Update rings β Driver settings
- Or: Endpoint Security β Windows Update β Driver updates
- Approval: Automatic (default) or Manual (requires admin action)
- Pause specific drivers by setting them to "Declined"
π Update Compliance Reports
π WUfB Reports (native)
- Intune β Reports β Windows Updates
- Device update status per ring
- Pending restart / failed update
- Compliance % by ring
π€ Autopatch Reports
- Windows Autopatch β Reports
- Per-ring deployment health
- Devices not up to date
- Pause/resume history
π Azure Monitor Workbook
- Windows Update for Business reports (Azure)
- Requires Log Analytics workspace
- Historical trend data
- OS version distribution chart
βΈοΈ Pausing Updates
βΈοΈ WUfB Ring Pause
- Pause per ring in Intune Update Ring settings
- Max pause: 35 days (Windows enforced limit)
- Quality and feature updates can be paused independently
- Pause expires automatically; must be manually re-extended
Windows Update Service will enforce updates even if paused beyond 35 days. Plan remediation within that window.
π€ Autopatch Pause
- Autopatch can auto-pause if device failure threshold exceeded
- Manual pause: Autopatch β Deployment rings β Pause ring
- Post-pause: Microsoft resumes on next Patch Tuesday cycle
- Incident ticket automatically created for significant pauses
π§ Troubleshooting
β Common Issues & Fixes
| Issue | Cause | Fix |
|---|---|---|
| Device not receiving updates | WUfB policy conflict with GPO or old WSUS setting | Remove WSUS registry keys; verify no conflicting GPO |
| Feature update blocked | Safeguard hold from Microsoft | Check Windows Update for Business reports for hold ID |
| Autopatch device not registering | Missing license or non-compliant with prereqs | Run readiness check; verify E3 license assigned |
| Restart loop after update | Conflicting policy or app incompatibility | Review event log; test uninstalling recent update |
| Update stuck at 0% | Windows Update service stopped or network issue | Restart wuauserv; verify connectivity to WU endpoints |
| Quality update deferral not working | Device not Intune primary user set correctly | Verify device enrolled and Intune policy applied |
π» PowerShell & Graph API
# Get all WUfB Update Ring policies
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"
Get-MgDeviceManagementDeviceConfiguration |
Where-Object { $_.'@odata.type' -like "*WindowsUpdateForBusiness*" } |
Select-Object DisplayName, Id, LastModifiedDateTime
# Get update status for all devices
GET https://graph.microsoft.com/beta/deviceManagement/managedDevices?$filter=operatingSystem eq 'Windows'&$select=deviceName,osVersion,lastSyncDateTime
# Force update check on a device (Graph)
POST https://graph.microsoft.com/beta/deviceManagement/managedDevices/{deviceId}/syncDevice
# Remove legacy WSUS registry settings (run on endpoint)
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUServer" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUStatusServer" -ErrorAction SilentlyContinue
Restart-Service wuauserv
# Check what update policy is applied on device
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings"
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Update"β Implementation Checklist
ποΈ WUfB Setup
- WSUS decommissioned or GPO removed from Intune devices
- Pilot, UAT, Broad, Critical rings created
- Quality update deferral configured per ring
- Feature update policy pinned to current approved version
- Active hours set to business hours
- Deadline and grace period configured
π€ Autopatch (if using)
- Windows E3 license verified for all devices
- Autopatch tenant onboarding completed
- Devices added to Autopatch registration group
- Custom Autopatch groups created for departments
- M365 Apps and Edge update management enabled
π Monitoring
- Update compliance report reviewed weekly
- Alert configured for devices >30 days behind
- Driver update policy configured
- Pause runbook documented for incident response
π§ͺ Validation
- Pilot ring devices receiving updates correctly
- Restart behavior verified during active hours
- Feature update blocking tested (safeguard hold simulation)
- Helpdesk trained on update escalation procedures