Exam Ref 70-696 Managing Enterprise Devices and Apps (MCSE): Plan and Implement Software Updates

Objective 3.3: Deploy software updates by using Microsoft Intune

Microsoft Intune provides you with an alternative method of managing software updates for computers that are outside the perimeter network or in remote branch offices where deploying a WSUS server or Configuration Manager is impractical. In this section, you learn how you can manage software updates with Intune.

Microsoft Intune update policies

Intune can provide software updates to clients on which the Intune agent is installed. When you install the Intune agent on a computer, the computer retrieves updates from Intune. You should ensure that any Group Policy settings configuring an update server are removed prior to deploying the Intune agent because the settings might interfere with the computer retrieving updates.

How Intune clients retrieve updates is determined by Intune policies, which include settings related to endpoint protection, network bandwidth, user device linking, and updates. The updates settings enable you to configure settings around the installation of software updates and applications.

To create an update policy, perform the following steps:

1. In the Intune Administrator console, click Policy, click Overview, and then click Add Policy under Tasks.

2. In the Create A New Policy dialog box, click Windows Intune Agent Settings, select Create And Deploy A Custom Policy, as shown in Figure 3-12, and then click the Create Policy button.

   

   FIGURE 3-12 Creating a policy

3. In the Updates section, shown in Figure 3-13, configure the following settings:

   • Name Type a name for the policy on the General page.
   • Update And Application Detection Frequency (Hours) Indicate how often you want the client to check for updates.
   • Automated Or Prompted Installation Of Updates And Applications Configure whether updates and applications are installed automatically according to a schedule, or the user is prompted for the installation of updates and applications.
   • Allow Immediate Installation Of Updates That Do Not Interrupt Windows Specify whether updates that do not require a restart will be installed immediately.
   • Delay To Restart Windows After Installation Of Scheduled Updates And Applications (Minutes) Specify how long the computer will wait.
   • Allow Logged On User To Control Windows Restart After Installation Of Scheduled Updates And Applications This option allows a signed-on user to control whether a computer restarts after the installation of applications and updates.
   • Prompt User To Restart Windows During Windows Intune Client Agent Mandatory Updates Determines whether the user is prompted after the installation of a mandatory update that requires a restart.
   • Windows Intune Client Agent Mandatory Updates Installation Schedule Specify when mandatory updates will be installed.
   • Delay Between Prompts To Restart Windows After Installation Of Scheduled Updates And Applications (Minutes) Specify the period between restart prompts.
   

   FIGURE 3-13 Updating a policy

4. Click Save Policy to save the policy.
5. In the Do You Want To Deploy This Policy Now pop-up box, click Yes.

6. In the Manage Deployment dialog box, shown in Figure 3-14, select the computers to which you want to deploy the policy and then click OK.

   

   FIGURE 3-14 Selecting groups

Updating categories and classifications

Update categories and classifications to configure the products and update classifications for which Intune will manage updates. Although you can configure Intune to manage updates for almost every currently supported Microsoft product, you should only configure Intune so that it manages updates for products that are actually installed on computers that have the Intune agent. Figure 3-15 shows that Intune can manage the following update classifications:

• Critical Updates
• Security Updates
• Definition Updates
• Service Packs
• Update Rollups

FIGURE 3-15 Service Settings: Updates

Approving updates

To deploy updates to Intune clients, approve them in the Intune Administration console. To approve an update, perform the following steps:

1. In the Intune Administration console, click Updates.

2. In the All Updates node, shown in Figure 3-16, select the update that you want to approve and click Approve.

   

   FIGURE 3-16 All Updates

3. On the Select Groups page, shown in Figure 3-17, select the groups to which you want to deploy the update and click Add. Then click Next.

   

   FIGURE 3-17 Select Groups

4. On the Deployment Action page, shown in Figure 3-18, select the approval status for the update. You can choose from among Required Install, Do Not Install, Available Install, and Uninstall. Then click Finish.

   

   FIGURE 3-18 Deployment Action

Automatic approval rules

Automatic approval rules enable you to configure Intune to approve updates automatically, based on product category and update classification. When you configure an automatic approval rule, the update will be deployed automatically rather than requiring an administrator to perform manual approval. For example, you might configure an automatic approval rule for Windows 8.1 operating system updates that are classified as critical or security. Any Windows 8.1 operating system update that Microsoft publishes that has the critical or security classification will automatically be published to Intune clients.

EXAM TIP

Remember that approval rules will work only if Intune manages the products and classifications that are the subject of the rule. There’s no point creating an approval rule for Windows 8.1 updates if Intune isn’t configured to manage updates for Windows 8.1.

To create an automatic approval rule, perform the following steps:

1. In the Administration workspace of the Intune Administration console, click Updates and then scroll to Automatic Approval Rules. Click the New button.
2. On the General page of the Create Automatic Approval Rule Wizard, create a name and provide a description for the rule. Then click Next.

3. On the Product Categories page, select the products to which the automatic approval rule applies. Then click Next.

   Figure 3-19 shows Windows 8.1 selected.

   

   FIGURE 3-19 Product Categories

4. On the Update Classifications page, select the update classifications for which the rule will perform an automatic approval. Then click Next. Figure 3-20 shows Critical Updates and Security Updates selected.

   

   FIGURE 3-20 Update Classifications

5. On the Deployment page, select the Intune groups for which the automatic approval rule will approve the update. You can also configure an installation deadline for updates approved by this rule. Then click Add. Figure 3-21 shows the All Computers group selected and an installation deadline of 14 Days After Approval. Click Next to proceed.

   

   FIGURE 3-21 Deployment

6. On the Summary page, click Finish to complete the installation of the updates.

Third-party updates

You can use Intune to deploy updates from vendors other than Microsoft. You do this by manually uploading the update files, which can be in .msi, .msp, or .exe format. To upload and configure a third-party update to Intune, perform the following steps:

1. In the Updates workspace of the Intune Administration console, click Upload under Tasks.
2. On the Update Files page, select the file you want to upload and click Next.

3. Select a classification.

   You can choose from among Updates, Critical Updates, Security Updates, Update Rollups, or Service Packs. Then click Next.

4. On the Requirement page, select the operating system and architecture (x86 or x64) requirements for the update and then click Next.

5. On the Detection Rules page, specify how Intune can check whether the update has already been deployed on the Intune client.

   This check can be performed by looking for an existing file, an MSI product code, or a specific registry key. Click Next.

6. On the Prerequisites page, identify any prerequisite software required for update installation and then click Next.

   You can specify None if no prerequisites are required or specify an existing file, an MSI product code, or a specific registry key.

7. On the Command Line Arguments page, specify any command-line arguments required to deploy the update and then click Next.
8. On the Return Codes page, specify how Intune should interpret return codes the update installation generates. Click Next. Finally, click Upload to complete.

After the update is uploaded to Intune, you can approve it using the same method you use to approve other software updates.

EXAM TIP

Remember that you can use SCUP or Intune to publish third-party updates to computers.

Thought experiment: Intune for update deployment for Contoso remote clients

You are responsible for managing software updates for remote clients at Contoso. All remote clients use the Windows 8.1 operating system and run the same suite of third-party applications. You want to ensure that any security and critical updates are deployed as soon as possible. You will review other updates before deciding to deploy them. With this information in mind, answer the following questions:

1. How can you ensure that Windows 8.1 security and critical updates are installed as soon as possible?
2. What steps must you take to deploy updates for the suite of third-party applications?

Objective summary

• Intune can provide updates to clients on which the Intune agent is installed.
• You select which updates Intune provides to clients, based on product and update classification.
• When you manually approve updates, you select the group for which the update is approved and specify a deployment action.
• Automatic approval rules enable you to deploy updates automatically, based on product and update classification.
• You can upload third-party updates to Intune and distribute them to Intune clients.

Objective review

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of the chapter.

1. You have noticed that, although updates for Windows 7 are present within the list of available updates in the Intune console, updates for Windows 8 and Windows 8.1 are not present. Which of the following should you configure to resolve this problem?

   1. Automatic approval rules
   2. Third-party updates
   3. Update policies
   4. Update categories and classifications

2. You want to ensure that a user who is signed on to a computer can control whether Windows restarts after the installation of scheduled updates deployed from Intune. Which of the following would you configure to accomplish this goal?

   1. Update categories and classifications
   2. Update policies
   3. Third-party updates
   4. Automatic approval rules

3. You want computers running Windows 8.1 in your organization’s Melbourne branch office to install critical operating system updates automatically. Computers running Windows 8.1 in your organization’s Canberra office should install critical operating system updates only if an administrator manually approves those updates. Which of the following should you configure to accomplish this goal? (Choose two. Each correct answer provides part of a complete solution.)

   1. Configure multiple computer groups.
   2. Configure update policies.
   3. Configure update categories and classifications.
   4. Configure automatic approval rules.