Close Menu
    Facebook X (Twitter) Instagram
    Tuesday, July 8
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Intune»Disable windows updates (wufb) on selected devices using Intune

    Disable windows updates (wufb) on selected devices using Intune

    Eswar KonetiBy Eswar KonetiJuly 07, 11:04 pm3 Mins Read Intune 4,637 Views
    Share
    Facebook Twitter LinkedIn Reddit

    Wufb (windows update for business) is feature in Microsoft Intune that allows organizations to manage and control the deployment of Windows updates across their devices.

    With WUfB, Intune administrators can define update ring policies and settings to ensure that devices within their organization receive the necessary updates in a controlled manner.

    This helps organizations maintain security and compliance by ensuring that devices are up to date with the latest patches and fixes.

    For more information about wufb deployments, please refer  https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-for-business-configure

    After you create the wufb ring policies and deployed, devices will receive the settings and start reporting to wufb DS and continue from there on.

    Recently i had a scenario where you need to disable automatic updates on specific devices that are managed by wufb.

    considering the requirement, i cannot use the Pause option that is available in the wufb ring policy. Pause option will pause the updates for upto 35 days on all devices where the ring is targeted.

    In this blog post, we will explore how to achieve this using Intune Catalogue Settings.

    1. To begin, we need to create an Azure AD group that will contain the devices for which we want to disable automatic updates

    Create Azure AD group with name: Intune - windows computers - Disable Windows updates

    image

    2. Next, we will configure the Intune Catalogue Settings to disable automatic updates for the devices in the Azure AD group we created.

    Go to intune, devices, configuration profiles and select create New Devices - Microsoft Intune admin center

    image

    Give it Name and description

    image

    In the add settings, Search for Allow Auto Update and choose Windows update for business

    image

    From the drop down, choose Turn off automatic updates. This will prevent the selected devices from automatically downloading and installing updates.

    image

    Click Next, Next and in the assignment section, add the group that we have created earlier

    image

    Review and create the policy.

    image

    3. Exclude the Azure AD group from all of your wufb ring policies. This make sure no conflicts otherwise the device will have conflicts with updates enabled vs disabled.

    image

    With this, we have completed all the required configurations. Now adding the device to the security group will ensure the automatic updates are disabled.

    In the next client sync policy, the automatic updates will be disabled.

    If you want to resume the patching, all you need is remove the devices from the group and the device will pick up the wufb ring policies automatically.

    Now, let see the end-user experience. After client receive the updated policies, you will see the following message.

    image

    In conclusion, by leveraging Intune Catalogue Settings, we can easily disable automatic updates on selected devices. This provides a flexible approach to manage Windows updates based on specific organizational requirements.

    However, it's important to strike a balance between customization and maintaining the overall security and compliance of your device fleet.

    In the next blog, we will see how to disable the automatic updates for Microsoft 365 apps using Intune.

    automatic updates catalogue settings disable automatic updates intune turn off automatic updates windows updates wufb wufb-ds
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Automating Intune Deployment Rings Using Entra ID Dynamic Groups and Regex

    July 01, 10:31 pm

    Exporting Intune Win32 Apps with All Properties Using PowerShell and Microsoft Graph

    June 30, 7:01 pm

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    3 Comments

    1. Patrick on October 24, 2023 3:59 AM

      Pls, how can I I need to configure an Update ring to allow only manual Microsoft Updates.

      Is that possible using Intune? If yes, please how can I do that? Can you detail how the Update Ring need to be configured to have this behavior?

      Reply
      • Eswar Koneti on October 28, 2023 12:55 PM

        Hi,
        if you would like to allow the manual patching (means, open settings, click on check for updates), you can choose notify download in the user experience settings
        Please refer docs https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-settings#user-experience-settings

        thanks,
        Eswar

        Thanks,
        Eswar

        Reply
    2. Madhu Ranganatha on July 7, 2023 11:45 PM

      Thank you for the post

      Reply

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.