Previously we talked about update rings. Microsoft has recently released 2 new update policy types: Feature Updates and Quality Updates. Both of these policies extend the configuration options provided by update rings.

Feature updates for Windows 10 and later (public preview):

Feature Updates lets you specify a desired Windows feature version. Thus freezes the feature set version. The freeze place until you change to a later version. Devices can continue to get: quality and security updates for their feature version.

Move from update ring deferrals to feature updates policy

  • Its possible to use Update Ring Deferrals and Feature Updates but can create unpredictable results because both policies need to evaluate to true to install updates.
  • If you are using feature updates you should remove feature deferrals from update rings. User experience settings can remain.

Plan to transition

Plan to manage the change from using update ring deferrals to feature updates. Keep the following in mind: When policies are created or modded Windows Update evaluates applicable updates for each device.

  • Update evaluation can take up to 10+ minutes
  • If a device starts an update scan after deferal is removed but before Windows Update adds the feature updates policy, the device can be offered an update you didn't want install.

Switch to feature updates policy (recommended process)

  1. In the Microsoft Endpoint Manager admin center, create a feature updates policy that configures your desired Windows version, and assign it to applicable devices.
  2. After the saved policy is assigned to devices, it will take a few minutes for Windows Update to process the policy.
  3. View the Windows 10 and later feature updates (Organizational) report for the feature update policy, and verify devices have a state of OfferReady before you proceed. Once all devices show OfferReady, Windows Update has completed processing the policy.
  4. After devices are verified to be in the OfferReady state you can safely reconfigure the Windows 10 and later update ring policy for that same set of devices to change the setting Feature update deferral period (days) to a value of 0.

Quality updates for Windows 10 and later (public preview):

Where Feature Updates allows you to reduce the speed of feature updates, Quality update policies allow you rapidly patch devices to become compliant.

Expedite Windows quality updates

  • The quality updates policy in Intune allows you to more aggressively bring security updates up to current.
  • Non security updates need to be managed with update rings and feature update policies
  • Updates are targeted by release date.
  • Compatible windows builds receive their own versions of the updates.
  • Update Ring Quality deferalls are ignored by the policy.
  • Restart behavior can be managed in quality update policies.
  • Expedite not recommended for normal monthly updates. Use update rings.

    Requirements

  • Licenses: E3 + E5 + win10 VDA + Business Premium
  • Supported Windows 10/11 versions: Pro + Education + Anything higher
  • Update Source: devices must be configured to use windows update for quality updates

Update Ring settings that may conflict with expedite

  • Enable pre-release builds
  • Automatic Update Behavior: Reset to default.
  • Change Notification Update Level: Turn off all notifications, including restart warnings

    Group Policy settings that can override expedite

  • CorpWuURL - Specify intranet Microsoft update service location.
  • AutoUpdateCfg - Configure Automatic Updates.
  • DeferFeatureUpdates - Select when Preview Builds and Feature Updates are received.
  • Disable Dual Scan - Don't allow update deferral policies to cause scans against Windows Update.