Configuring Microsoft Intune for Security Patch and Update Management

Configuring Microsoft Intune for Security Patch and Update Management

02/08/2025

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in configuring and using Microsoft Intune to effectively manage security patches and updates on Windows devices. In a constantly evolving cyber threat landscape, keeping operating systems and applications up to date is one of the most critical security practices for mitigating vulnerabilities and protecting the organization against attacks. Microsoft Intune, as a Unified Endpoint Management (UEM) solution, offers robust tools to automate and control the update process [1].

Introduction

Lack of security patches and updates is one of the leading causes of security breaches. Known vulnerabilities in operating systems and software are frequently exploited by attackers, making an efficient and automated patch management process essential. In modern enterprise environments, with a distributed workforce and a variety of devices, manual update management becomes impractical and error-prone. This is where Microsoft Intune shines, providing a centralized platform for managing and deploying updates to Windows devices, ensuring they remain secure and compliant [2].

Microsoft Intune allows you to manage different types of Windows updates, including Quality Updates, which provide security and non-security fixes, and Feature Updates, which deliver new functionality and improvements. Through Update Rings policies and Feature Update profiles, administrators can control when and how updates are deployed, enabling phased rollout to minimize risk and ensure compatibility. Additionally, Intune provides features to monitor the compliance status of updates and troubleshoot issues [3].

This how-to guide will cover setting up Update Rings and Feature Updates profiles in Intune, deploying updates to Windows devices, monitoring update compliance, and using reports to identify and resolve issues. Step-by-step instructions, practical examples, and concise explanations will be provided so that the reader can implement, test, and validate these features. Additionally, security tips, compliance checking, and best practices will be discussed to ensure effective, autonomous, professional, and reliable patch and security update management.

Why is Microsoft Intune crucial for patch management?

  • Automation and Efficiency: Automates the delivery of updates, reducing administrative burden and ensuring that devices are always up to date.
  • Granular Control: Allows administrators to set detailed policies on when, how, and to which devices updates are applied, supporting phased rollouts.
  • Enhanced Security: Ensures the latest security fixes are applied quickly, mitigating vulnerabilities and protecting against known exploits.
  • Compliance: Helps keep devices compliant with internal security policies and regulatory requirements.
  • Visibility and Reporting: Provides dashboards and reports to monitor update status, identify non-compliant devices, and troubleshoot issues.
  • User Experience: Allows you to configure active time windows and restart deadlines to minimize the impact of updates on user productivity.

Prerequisites

To configure Microsoft Intune for managing security patches and updates, you will need the following items:

  1. Licensing: A Microsoft Intune license (generally included with Microsoft 365 E3/E5, Enterprise Mobility + Security E3/E5 subscriptions) [4].
  2. Administrative Access: An account with the role of Global Administrator or Intune Service Administrator in the Microsoft Intune admin center (https://intune.microsoft.com).
  3. Registered Windows Devices: Registered Windows 10/11 devicescreated in Microsoft Intune. Devices must be configured to receive updates from Windows Update (Windows Update for Business) [5].

Step by Step: Configuring Microsoft Intune for Patch Management

Let's configure update policies for Windows devices.

1. Creating Update Rings for Windows

Update Rings are policies that manage how and when Quality and non-security Updates are applied to devices.

  1. Open your browser and navigate to the Microsoft Intune admin center: https://intune.microsoft.com.
  2. Log in with an account that has the necessary permissions.
  3. In the left navigation pane, select Devices > By Platform > Windows.
  4. Under Manage Updates, select Windows Update Rings.

  5. Click + Create profile.

  6. Basics:

    • Name: Give a meaningful name (ex: Anel_Atualizacao_Piloto_Windows).
    • Description: Provide a clear description (e.g. Update ring for pilot group, with minimum delay.).

  7. Click Next.

  8. Update Ring Settings:

    • Quality Update Settings:
      • Maintenance level of quality updates: General Availability Channel.
      • Quality updates deferral period (days): 0 (for the pilot group, to receive updates as quickly as possible). For larger groups, you can set 3 to 7 days.
      • Driver update deferral period (days): 0 (or a larger value for testing drivers).
    • Feature Updates Settings:
      • Feature updates maintenance level: General Availability Channel.
      • Feature update deferral period (days): 0 (for pilot group). For larger groups, you can set 30 to 60 days.
    • End User Experience Settings:
      • Auto-update behavior: Automatically install and restart at maintenance time.
      • Reboot after installation: Automatic restart at maintenance time.
      • Active hours: User-controlled active hours.
      • Deadline for restart (days): 2 (for the pilot group). For larger groups, 5 to 7 days.

  9. Click Next.

  10. Scope Tags: Optionally add scope tags. Click Next.

  11. Assignments: Assign this update ring to an Azure AD device group (e.g. Pilot_Device_Group).

  12. Click Next.

  13. Review + create: Review the settings and click Create.

    • Explanation: You should create multiple update rings (e.g., Pilot, Fast, Slow) with different deferral periods to allow for a phased rollout of updates, minimizing the risk of compatibility issues.

2. Creating Feature Updates Profiles for Windows (Feature Updates for Windows 10 and later)

Feature Update Profiles allow you to target devices to a specific version of Windows (e.g. Windows 11 22H2).

  1. In the left navigation pane of the Microsoft Intune admin center, select Devices > By Platform > Windows.
  2. Under Manage updates, select Windows 10 and later feature updates.

  3. Click + Create profile.

  4. Basics:

    • Name: Give a meaningful name (ex: Atualizacao_Recurso_Windows11_23H2).
    • Description: Provide a clear description (e.g. Windows 11 23H2 deployment to eligible devices.).

  5. Click Next.

  6. Feature Update Settings:

    • Resource version to be deployed: Select the desired version (ex: Windows 11, version 23H2).
    • Availability date: Set the date on which the update will be available for devices.
    • End date: Optionally, set an end date for the upgrade offer.

  7. Click Next.

  8. Scope Tags: Optionally add scope tags. Click Next.

  9. Assignments: Assign this profile to an Azure AD device group (ex: Windows11_Device_Group).

  10. Click Next.

  11. Review + create:Review the settings and click Create.

    • Explanation: This profile will ensure that devices in the assigned group receive the specific version of Windows 11 23H2. It's important to test feature updates in smaller groups before deploying widely.

3. Monitoring Update Status

Intune offers dashboards and reports to monitor update progress and compliance.

  1. In the left navigation pane of the Microsoft Intune admin center, select Devices > By Platform > Windows.
  2. Under Manage Updates, select Windows Update Rings.
  3. Click on the update ring you want to monitor (ex: Anel_Atualizacao_Piloto_Windows).

  4. In the update ring overview, you can see the Device Deployment Status and User Update Status, which show how many devices are compliant, how many have errors, etc.

  5. For more detailed reports, in the left navigation pane of the Intune admin center, select Reports > Windows Updates.

  6. Here you can find reports like Windows Update Compliance Report and Windows Feature Updates Report to get a comprehensive view of the status of updates in your organization.

Validation and Testing

It's critical to test update policies to ensure they work as expected and that devices receive updates correctly.

1. Testing Update Rings (Quality Updates)

  1. Scenario: Register a test Windows device in Intune and assign it to Pilot_Device_Group.
  2. Expected Action: The device must receive and install quality updates according to the Anel_Atualizacao_Piloto_Windows policy (with a delay of 0 days, i.e. quickly).
  3. Verification:
    • On the test device, go to Settings > Windows Update and check the update history.
    • In the Intune admin center, check the Device Deployment Status for Anel_Atualizacao_Piloto_Windows and Windows Update Compliance Report to confirm that the device is compliant.
    • Command on device (PowerShell as Admin): powershell Get-WindowsUpdateLog
      • Explanation: This command generates a detailed log of Windows Update activities, useful for troubleshooting.

2. Testing Resource Update Profiles

  1. Scenario: Register a test Windows device in Intune and assign it to Windows11_Device_Group.
  2. Expected Action: The device must receive and install the Windows 11 Feature Update, version 23H2.
  3. Verification:
    • On the test device, go to Settings > System > About and check the Windows Version.
    • In the Intune admin center, check the Device Deployment Status for the Atualizacao_Recurso_Windows11_23H2 profile and the Windows Feature Updates Report.

Security Tips and Best Practices

  • Update Ring Strategy: Implement a phased update ring strategy (e.g., Pilot, Small, Medium, Large) to test updates on a subset of devices before deploying them broadly. This minimizes the risk of interruptions.
  • Maintenance Windows: Configure maintenance windows and restart deadlines that minimize the impact on user productivity, but ensure that updates are applied in a timely manner.
  • Continuous Monitoring: Regularly monitor update compliance reports in Intune and set up alerts for non-compliant or update-error devices.
  • Compatibility Testing: Before deploying major feature updates, perform compatibility testing with critical applications and hardware in your environment.
  • Delivery Optimization: Use features like Delivery Optimization to reduce network bandwidth consumption when distributing updates across your organization.
  • Driver Management: Be cautious with driver updates. Consider delaying driver updates or testing them extensively before broad deployment, as problematic drivers can cause crashes.ability in the system.
  • Integration with Microsoft Defender for Endpoint: Intune and Defender for Endpoint work together to ensure endpoint security. Defender for Endpoint can provide insights into vulnerabilities that can be fixed with patches.

Common Troubleshooting

  • Devices do not receive updates:
    • Verify that the device is enrolled in Intune and that the update/feature ring policies are assigned to the correct device group.
    • On your device, check connectivity to Windows Update. Run wuauclt.exe /reportnow (for Windows 10) or usoclient StartScan (for Windows 11) from the command prompt.
    • Check Windows Update logs on the device using Get-WindowsUpdateLog in PowerShell.
    • Check Active Hours settings in Intune; If the device is always within active hours, it may not restart to install updates.
  • Updates fail to install:
    • Check the Windows Update logs on the device for specific error codes.
    • Make sure your device has enough disk space.
    • Compatibility issues with existing software or drivers may be the cause. Test in a controlled environment.
    • Check device network connectivity with Windows Update services.
  • Devices do not appear as compliant in Intune reports:
    • It may take some time for compliance status to be reported back to Intune. Wait a few hours.
    • Make sure your device is active and communicating with Intune.
    • Verify that compliance policies are correctly assigned to the device.
  • False positives (device appears as non-compliant, but is up to date):
    • Manually check the status of updates on the device. If it is up to date, it may be a delay in Intune reporting.
    • Restart the Intune Client Management service on the device (net stop dmwappushservice && net start dmwappushservice).

Conclusion

Microsoft Intune is an indispensable tool for managing security patches and updates in Windows environments. By automating the deployment of quality and feature updates and providing granular control over the process, Intune enables organizations to keep their devices secure and compliant with the latest protections against cyber threats. Implementing an update ring strategy, along with continuous monitoring and proactive problem resolution, is critical to ensuring a resilient IT environment. With this practical guide, security professionals and IT administrators will be well-equipped to configure, validate, and manage Microsoft Intune, strengthening their endpoint security posture and protecting their organization's assets.

References:

[1] Microsoft Learn. Manage Windows software updates in Intune. Available at: https://learn.microsoft.com/pt-br/intune/intune-service/protect/windows-update-for-business-configure [2] Microsoft Learn. What is Microsoft Intune?. Available at: https://learn.microsoft.com/pt-br/intune/overview [3] Microsoft Learn. Manage Windows updates with Intune. Available at: https://learn.microsoft.com/pt-br/mem/intune/protect/windows-update-for-business-configure [4] Microsoft Learn. Microsoft Intune Licensing. Available at: https://learn.microsoft.com/pt-br/mem/intune/fundamentals/licenses [5] Microsoft Learn. Set up Windows update rings in Intune. Available at: https://learn.microsoft.com/pt-br/mem/intune/protect/windows-10-update-rings [6] Microsoft Learn. Configure Windows 10 and later feature updates in Intune. Available at: https://learn.microsoft.com/pt-br/mem/intune/protect/windows-10-feature-updates [7] Microsoft Learn. Windows Update reports in Intune. Available at: https://learn.microsoft.com/pt-br/mem/intune/protect/windows-update-reports