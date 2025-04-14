The importance of up-to-date Windows devices is evident to all IT administrators, so Windows Update for Business' settings that control the update behavior on Windows devices is critical for security and user experience.

With its cloud-native endpoint management, Windows Update for Business can manage endpoints that are basically always online, which makes it important that those devices are up to date with the latest security updates and Windows features.

Microsoft Intune is the go-to platform for managing the settings related to the security updates and Windows features, and IT admins should make the most of these two technologies together.

Managing Windows Update for Business with Intune Intune provides IT administrators with the ability to easily configure update settings on Windows devices using Windows Update for Business, including the deferral of update installations. Besides that, Intune also allows IT to keep Windows devices on a specific stable Windows version by preventing devices from installing feature updates. It's important to keep in mind that Intune doesn't store the updates themselves -- that information will always come from Windows Update. Intune creates the policy set with the configuration that contains the desired settings to check in with Windows Update to make sure that the required updates will be installed with the required deferral and deadline configurations. Besides that, Intune also passes specific configuration details to Windows Update. That information is used to determine which of the updates will be offered to the different devices. The Windows Update for Business deployment service requires a separate registration of Windows devices, and that registration requires Windows devices to be Entra joined. Any configuration option that relies on the Windows Update for Business deployment service, requires the Windows device to be Entra joined. Figure 1. Microsoft Intune architecture and the Intune product family. For any configuration that relies on the Windows Update for Business deployment service, Intune will automatically make sure that the targeted Windows device will register with the Windows Update for Business deployment service. The policy types in Intune that rely on the Windows Update for Business deployment service provide the IT administrator with more granular control over the deployment of the different updates. IT administrators should also keep in mind that in September 2024, the Windows Update for Business deployment service was unified under Windows Autopatch.

What Intune policy types can affect Windows updates? When using Microsoft Intune to manage Windows Update for Business settings, there are different policy types that IT can use to configure Windows devices. And all these policy types have their own purpose. The following policy types are available and can be assigned to groups of devices: Update ring. This policy type is basically a collection of Windows Update for Business settings that IT can use to configure when Windows devices have their security updates and Windows features installed. This provides the IT administrator with basic update management capabilities on Windows devices to control security updates and Windows features. That includes settings to control the update deferral, the update deadline, the update products, the user experience and more. This policy type is supported by all devices running Windows 10 version 1607 or later, and Windows 11. Feature update deployment. IT can use this policy type to update Windows devices to a specific Windows version that is specified by the IT administrator. Besides that, after the installation of the specific Windows version, this policy type will also make sure that the targeted Windows devices will freeze their Windows version. That freeze remains in place until the IT administrator specifically chooses to update those Windows devices to a later Windows version. In the meantime, those devices will continue to install quality and security updates that are available for their current Windows version. This policy type relies on the Windows Update for Business deployment service for controlling the feature deployment. Expedite policy. Intune administrators can use this policy type to expedite the installation of the latest Windows security update on Windows devices. This can help IT quickly install a specific security update that fixes a certain security issue within the environment. This policy type relies on the Windows Update for Business deployment service for controlling the feature deployment. Windows quality update policy. With this policy type, IT can configure specific quality update policy settings. This policy type is still in preview and can only be used to configure the hotpatch on Windows device. Windows devices will install the latest quality update without restarting the device if this policy is in place. Driver update profile. This policy type can determine the approval and deployment settings for Windows driver updates. The main configuration that can be achieved is choosing between automatic installation of the latest recommended drivers and manually approving drivers before they can be installed on the targeted Windows devices. This policy type relies on the Windows Update for Business deployment service for controlling the feature deployment.