News

Microsoft Intune Adds New Windows Update for Business Controls

• By Kurt Mackie
• 12/16/2022

Microsoft Intune now has some update controls for Windows clients that are enabled by the Windows Update for Business service.

It might be thought that Microsoft Intune would already have such controls, but Microsoft characterized a couple of new capabilities that were said to be now "generally available," or commercially released, per this Friday announcement. In essence, Intune users can now set controls for Windows feature updates, and they can expedite some quality updates.

Intune Controls for Windows Updates
One new Intune capability is the ability to set various policies for feature updates, which are new Windows client operating system releases. Organizations can specify the OS rollout dates, including an "as soon as possible" option. They can also stagger the new OS rollouts to specific user groups, by setting start and end dates, plus an interval of time between the group updates.

The ability to set such Windows Update for Business feature update controls works with Windows 10 and Windows 11 at the Pro, Enterprise and Education edition levels. However, it isn't available for organizations using the Enterprise long-term service channel releases of those OSes, per a "Note" in this Microsoft document.

Intune users also now have the ability to expedite quality updates, which is a Windows Update for Business capability. Expediting might be done when patching certain security vulnerabilities that are deemed to be a priority for organizations.

Microsoft indicated that expedited quality updates will "temporarily override deferrals and other settings." Afterward, "the normal settings" will get restored automatically. A "quality update" is Microsoft lingo for the functional and security patches it releases on the second Tuesday of every month (which is known as "update Tuesday").

It's possible for organizations to expedite most, but not all, Windows 10 or Windows 11 security updates, according to this document. The document didn't explain when there might be exceptions. However, it did note that organizations will need E3- or E5-type licensing that includes Windows Update for Business to use the expedited quality updates capability in Intune.

Microsoft has described Windows Update for Business as the use of Microsoft's "cloud-based Windows Update service to deploy and manage Windows updates," per this 2018 description. Back then, Microsoft said that "you can use Group Policy or MDM solutions such as Microsoft Intune to configure the Windows Update for Business settings" for Windows devices.

Possibly Microsoft's Friday general availability announcement is just saying that it's now easier for IT pros using Intune to specify certain Window Update for Business settings for feature updates and expedited quality updates.

In another Friday announcement, Microsoft suggested that the new capabilities were associated with the latest update to Intune, namely the "2212 December edition."

Store Apps Controls
The 2212 edition of Intune also now lets organization "add apps from the Microsoft Store for Business to Microsoft Intune," per Microsoft's announcement. Essentially, Microsoft has integrated its Windows Package Manager tool with Intune to work with a "new Microsoft Store."

Microsoft had explained earlier this month that the Microsoft Store for Business and Microsoft Store for Education application distribution schemes are getting retired in Q1 2023. They are getting replaced by Windows Package Manager and the new Microsoft Store approach for distributing apps to end users. Windows Package Manager doesn't require Intune. It alternatively works as a "winget" command-line interface standalone tool. However, using winget just works when distributing free applications to end users.