MEMCM - Migration from On Premise to Intune - Part 4 - Migration of Software Update Strategy

In this part we will go into detail on how to transition your on premise software update solution into being managed completely by Intune.

For those who are using SCCM/MEMCM and using the SUP (Software Update Point) Role then you may be utilizing the following types of configurations;

• ADR (Automatic Deployment Rule) Deployment - Automated schedule deployment strategies like the commonly used Patch Tuesday templates and automatic approval of specific update categories.
• Manual Software Update Package Deployment - Synchronization of Windows Updates from your WSUS to your SUP role which will show within your Software Library Software Updates View.
• Offline Servicing (Image Patching) - Software update patching directly to your image to obtain the latest updates.
• Task Sequence Build - With a standard task sequence you may have a step which includes the Install Software Updates step which will just apply the latest updates to your newly built machine.
  

This can fall into a couple of categories depending on what your strategy is when it comes to upgrading the build version of your Windows 10 Endpoints.

Software Update Synchronization is a normal method where you can deploy this in it's own software update group, though this can come with its own challenges and alternative methods have been used where you can use the feature update in either a Task Sequence Upgrade or even an application - article for that can be found here

Following on from the ADR Rules, if we want to replicate a similar structure we can achieve this from creating a Windows 10 Update Ring which will allow us to deploy updates for Windows 10 (Windows 8.1 also if applicable) automated & on schedule.

So taking for example the template which can be used for patch tuesday here is an example of how the Update Ring would be configured for this.

Here is a mapping between the ADR Rules and the Windows 10 Update Ring configurations.

ADR Properties
ADR Property: Software Updates - In this tab you have the ability to select the type of categories in which updates you will automatically approve and then deploy to your managed clients within SCCM.
Update Ring Settings: Microsoft Product Updates: This is simply a toggle between yes and no which allows your update ring to pull in the latest updates. The updates are brought in by a cumulative basis so you aren't able to specify categories that you would wish to exclude from your rule.
Update Ring Settings: Servicing Channel - Here you can specify which channel you want to choose from your updates with semi-annual where you obtain updates as soon as Microsoft releases them or windows insider where you can get updates earlier before official release..

ADR Property: Evaluation Schedule: Here you can specify the date and time in which the ADR rule will run and by further configuration will allow you to specify if you want it run on that schedule or if you want it to run after a manual software update synchronization has been triggered.
Update Ring Settings: User Experiences: In this section we can dictate the schedule but in more finer detail for not just the date and time but specific weeks and times within the month which can help us replicate specific templates such as patch tuesday. We can also specify deferral periods and deadlines similar to an actual deployment within SCCM when setting up for a collection deployment.

In order to migrate the process of how you deploy your feature updates, there is now a separate ring in which we can control this and that is through the Windows 10 Feature Update Ring .

The Feature Update Ring and normal updates ring work together where though the normal updates ring can deploy updates for both the rest and feature updates, the separate ring specifically for feature updates will freeze the specific version which you want to limit the feature updates for.

In this case we have now limited the feature update to deploy the Windows 10 20H2. Now when we refer back to the settings in the Windows 10 Update ring we can now set the deferral period which will work specifically with the feature update ring.

Hopefully at this point you are moving away from the traditional physical builds and utilizing auto-pilot :) In this case we want to design the workflow so that any newly enrolled machines are brought into the update patching rings applicable to them.

So if we have the update rings configured above, we can have an Azure AD Group which is specifically tied to that Windows 10 Update ring, so any new machines brought into your Intune environment will receive the correct patching.

The next part we will focus on the Device/User Collection migrations and the planning of migrating them into Modern Workplace Management