MEMCM - Migration from On Premise to Intune - Part 4 - Migration of Software Update Strategy

D Walsham • 17 March 2021

Transform your current software update process into Modern Workplace Management

Introduction

In this part we will go into detail on how to transition your on premise software update solution into being managed completely by Intune.

How your Software Update Strategy is Currently

For those who are using SCCM/MEMCM and using the SUP (Software Update Point) Role then you may be utilizing the following types of configurations;

  • ADR (Automatic Deployment Rule) Deployment - Automated schedule deployment strategies like the commonly used Patch Tuesday templates and automatic approval of specific update categories.
  • Manual Software Update Package Deployment - Synchronization of Windows Updates from your WSUS to your SUP role which will show within your Software Library Software Updates View.
  • Offline Servicing (Image Patching) - Software update patching directly to your image to obtain the latest updates.
  • Task Sequence Build - With a standard task sequence you may have a step which includes the Install Software Updates step which will just apply the latest updates to your newly built machine.

And also in smaller cases you may just be using WSUS as standalone with no integration with SCCM that will be your patch management strategy.

With all this being said we will show how to transition into Modern Workplace Management and how we can follow a similar service or enhanced alongside optional additions around your patch management.

Existing Windows Feature Update Deployments

This can fall into a couple of categories depending on what your strategy is when it comes to upgrading the build version of your Windows 10 Endpoints.

Software Update Synchronization is a normal method where you can deploy this in it's own software update group, though this can come with its own challenges and alternative methods have been used where you can use the feature update in either a Task Sequence Upgrade or even an application - article for that can be found here

Transition to Intune - Update Rings

ADR Deployment Rule & Patching Migration

Following on from the ADR Rules, if we want to replicate a similar structure we can achieve this from creating a Windows 10 Update Ring which will allow us to deploy updates for Windows 10 (Windows 8.1 also if applicable) automated & on schedule.

So taking for example the template which can be used for patch tuesday here is an example of how the Update Ring would be configured for this.

Here is a mapping between the ADR Rules and the Windows 10 Update Ring configurations.

ADR Properties
 ADR Property: Software Updates - In this tab you have the ability to select the type of categories in which updates you will automatically approve and then deploy to your managed clients within SCCM.
Update Ring Settings: Microsoft Product Updates: This is simply a toggle between yes and no which allows your update ring to pull in the latest updates. The updates are brought in by a cumulative basis so you aren't able to specify categories that you would wish to exclude from your rule.
Update Ring Settings: Servicing Channel - Here you can specify which channel you want to choose from your updates with semi-annual where you obtain updates as soon as Microsoft releases them or windows insider where you can get updates earlier before official release..

ADR Property: Evaluation Schedule: Here you can specify the date and time in which the ADR rule will run and by further configuration will allow you to specify if you want it run on that schedule or if you want it to run after a manual software update synchronization has been triggered.
Update Ring Settings: User Experiences: In this section we can dictate the schedule but in more finer detail for not just the date and time but specific weeks and times within the month which can help us replicate specific templates such as patch tuesday. We can also specify deferral periods and deadlines similar to an actual deployment within SCCM when setting up for a collection deployment.

Windows Feature Update Deployments

In order to migrate the process of how you deploy your feature updates, there is now a separate ring in which we can control this and that is through the Windows 10 Feature Update Ring .

The Feature Update Ring and normal updates ring work together where though the normal updates ring can deploy updates for both the rest and feature updates, the separate ring specifically for feature updates will freeze the specific version which you want to limit the feature updates for.


In this case we have now limited the feature update to deploy the Windows 10 20H2. Now when we refer back to the settings in the Windows 10 Update ring we can now set the deferral period which will work specifically with the feature update ring.

Task Sequence Build/Offline Servicing Migration

Hopefully at this point you are moving away from the traditional physical builds and utilizing auto-pilot :) In this case we want to design the workflow so that any newly enrolled machines are brought into the update patching rings applicable to them.

So if we have the update rings configured above, we can have an Azure AD Group which is specifically tied to that Windows 10 Update ring, so any new machines brought into your Intune environment will receive the correct patching.

Next Part

The next part we will focus on the Device/User Collection migrations and the planning of migrating them into Modern Workplace Management

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side Part 4 - SQL Server Requirement Analysis

by D Walsham 13 December 2021
Looking through the current SQL Server topology and how it affects our decision

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side Part 3 - Current Branch Upgrade Approaches

by D Walsham 19 November 2021
Impact of Current Branch Upgrades

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side - Part 2 - Operating System Considerations

by D Walsham 29 October 2021
Introduction

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side

by D Walsham 7 October 2021
Introduction

Endpoint Manager: Device Estate Cleanup

by D Walsham 6 October 2021
Introduction

Modern Workplace Management: Creating Applications Common Practices - LOB vs Win32 Package

by D Walsham 3 September 2021
Introduction

Modern Workplace Management: Build Endpoints Without SCCM Part 6

by D Walsham 12 August 2021
All the parts of the series we went into great detail about how we analyse an end to end solution and how we would design a solution in which would allow us to build endpoints without SCCM being a dependency. Whilst we did this, there is another scenario which we have not touched on yet, which is the hybrid scenarios. In a perfect world ideally you would have your Azure Active Directory within the cloud, every machine meets the recommended requirements for Windows 10, everything is imported into Intune/Autopilot and everyone is happy. But we know this isn't realistic in all cases. Many organisations cannot just simply up and go from on-premise into the cloud therefore the checkpoint here is of course getting into hybrid solutions such as; Co-Management Between Intune and SCCM Hybrid AD with Azure AD and On-Premise AD syncing together These things can play a very interesting part in how you would tackle this if you envisage the next step in the blueprint is to be in a position in which you can build and manage endpoints soley within Intune. With this final part of the series we will go in-depth in how the common hybrid setups look like and how we go about moving into the next step of being able to manage and build devices without SCCM.

Modern Workplace Management: Build Endpoints without SCCM Part 5

by D Walsham 29 July 2021
In continuation from the previous part where we had discussed how we create the "on site" piece of the solution, this was the part which would allow us to get our endpoints into a state in which they would essentially be ready to go through the Autopilot process. Which leaves our next piece of the puzzle, to begin the configuration of the actual backend side that resides within our Endpoint Management console. And you will see how everything ties up together to satisfy the full end to end process of getting an unknown (or known) device to proceed thorough the whole workflow to be finally managed by Intune without the aid of SCCM taking part in any of the prerequisites or preparation at hand.

Modern Workplace Management: Build Endpoints without SCCM Part 4

by D Walsham 15 July 2021
In this part we are now going to look into the technical step by step points on how we put everything together. In the previous part we spoke about the structure of how we would asses whether a machine was actually ready to be built with Autopilot or not with a build checklist process which would step through all areas which would cover an endpoints eligibility. Now with everything planned out we finally want to step into making things reality by putting everything together.

Endpoint Manager: Find machines not in Autopilot

by D Walsham 2 July 2021
When it comes to managing your endpoints in endpoint manager, one of the things you may be looking to do is to get all of your Intune registered machines to also be enrolled as Autopilot devices. Now we can of course just have the deployment profile deployed to all machines and then hit the "Convert targeted machines to autopilot" but this might not necessarily be feasible for every client. We may want to perform some due diligence first so we can at least understand what devices in Intune are not in Autopilot.
Show More