Windows 10 update rings – the best user experience
To deploy updates for Intune-only managed devices, you have to use Windows Update for Business rings. This is a good thing – using update rings sets you up for proactively monitoring and managing Windows throughout the organization. They require that you create pilot users (who validate the update across the org) before you deploy broadly, ensuring that the update will succeed.
Today we’ll be going over configuring update rings in the MEM portal. Part of the reason I wanted to cover this was that users want to be in control.
Start by launching the MEM portal, then click Devices > Windows 10 update rings.
Let’s create a new ring by click + Create. Provide a name and description as well (you’ll want to have a few rings in your org, so name them well!)
Then we can select options for the update ring. First, let’s start with the Update settings. Channel wise, SAC-T no longer really exists (https://docs.microsoft.com/en-us/windows/release-information/ ), so for our general pilot group we’ll use Semi-Annual Channel. In this ring I’ll leave Quality and Feature updates to 0 day delay (if I had a second group, for feature updates I’d set it as 30, and then the next group as 60, etc.).
What we really care about is the User experience settings.
Here’s what Automatic update behavior means:
- Notify download – Notify the user before downloading the update. Users choose to download and install updates.
- Auto install at maintenance time – Updates download automatically and then install during Automatic Maintenance when the device isn’t in use or running on battery power. When restart is required, users are prompted to restart for up to seven days, and then restart is forced. This option can restart a device automatically after the update installs. Use the Active hours settings to define a period during which the automatic restarts are blocked.
- Auto install and restart at maintenance time – Updates download automatically and then install during Automatic Maintenance when the device isn’t in use or running on battery power. When restart is required, the device restarts when not being used. (This is the default for unmanaged devices.) This option can restart a device automatically after the update installs. Use of the Active hours settings aren’t described in Windows Update settings but are used by Intune to define a period during which the automatic restarts are blocked.
- Auto install and restart at scheduled time – Specify an installation day and time. If unspecified, installation runs at 3 AM daily, followed by a 15-minute countdown to a restart. Logged on uses can delay countdown and restart.
- Auto install and reboot without end-user control – Updates download automatically and then install during Automatic Maintenance when the device isn’t in use or running on battery power. When restart is required, the device restarts when not being used. This option sets the end-users control pane to read-only.
- Reset to default – Restore the original auto update settings on Windows 10 machines that run the October 2018 Update or later
So here’s my argument for why you should select Auto install at maintenance time and Require user’s approval to restart outside of work hours. This will install updates if 1) it’s past the Active hours time or 2) the user clicks Check for Windows updates. So we’re already not taking up bandwidth or hogging the CPU when it’s inconvenient for the user. Then, it will notify the user that they need to reboot to complete the update – but won’t, even if they sleep the device, unless they initiate the reboot!
Think of a scenario where a user stays late at the office and then plans to start early the next day to finish a critical project. Since they stayed after hours, the update is already installed in the background – just waiting for “when the user isn’t using the device” to complete the install. Normally, once they sleep the device that night it will automatically install the update! And when they wake up the device the next day, they’ll be presented with a blank desktop (potentially losing some data) or a screen completing the install and taking more of their time.
That’s why I recommend they should be given the option to delay – to prevent the scenario above. Selecting “Require user’s approval to restart outside of work hours” puts the user in control of when they update their device.
Feel free to change the reminder times, too. Some organizations may work better with a 4 or 8 hour dismissible reminder. That way users are reminded during the same work day.
You may be thinking – but what if the users ignores the update, or doesn’t see it? Here are all the places the feature update shows up – it’s almost impossible to ignore!
And if they do ignore the update for 7 days, then they’ll get a 60 minute (permanent) warning before it automatically reboots. More than enough time to save your work before the Feature update!
And for those looking at reporting, click on End user update status in the MEM portal to see which updates devices have applied:
Have a different way to configure Update rings for your organization? Let us know below!