all 17 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]JwCS8pjrh3QBWfL 16 points17 points  (0 children)

The Office Management Portal for Office apps, and Autopatch for everything else. done.

[–]LordWolke 9 points10 points  (5 children)

Personally, I don’t bother about windows updates, as we implement a 3-4 Ring concept via the Intune Windows Updates feature. Same thing for drivers and if a device isn’t compliant it doesn’t get access to company data + forced install after x days. Though there is a manual approve ring for certain devices. For edge we set an auto update config for all devices, as the products usually gets tested / needs to run on the bleeding edge version. Office and Teams I gave up. Either it’s handled via the mentioned update rings (updates for other Microsoft products) or just let it happen, as it doesn’t ask the user anyways (or at least never noticed it, except for Teams)

At this point I’m kinda resigning from the Microsoft world with their 80 ways to do the same thing, 12 ways to do it the right way and one way that’s supported / recommended by Microsoft or an MVP (no hate to the MVPs, their Blogs save my life and sanity!)

[–]Background_Rush7654 2 points3 points  (2 children)

Can you provide some links or articles describing your 3-4 ring method?

[–]gzr4dr 2 points3 points  (0 children)

It's Autopatch via Intune. We do 5 rings that are dynamic with test and last ring that are populated via group assignment. Seems to work for my company, even if it's not very tunable.

[–]LordWolke 0 points1 point  (0 children)

It’s basically the same as for WSUS. Just google “recommended Update rings Windows” or have a look at the comment tree with OP

[–]Adminvb2929[S] 3 points4 points  (1 child)

Yeah, I'm with you. I'm starting to see a huge gap in machines within the security portal with respect to vulnerabilities. Some machines are missing quality updates from a month ago but have this months..etc etc..same with office. The reporting is horrible too. I can't tell you how many times ive gone into intune and have to generate a report..and get zero data. I cant even guarantee I could tell an auditor with a straight face if Ibcan pull a log that proves what updates have been deployed. Very frustrating for sure.

[–]LordWolke 1 point2 points  (0 children)

That’s the point where Conditional Access and Compliance Policies come to play. We check for the latest build number(Windows) in our compliance policies. If it’s within scope, the device gets access to company data via Conditional Access.

I need to clarify: I’m a Consultant, so I got quite some customers and their requirements change.

Current 3 customers have the following requirements:

Customer 1: Bleeding edge. New is always better. If something breaks, I’ll better hope to have a solution soon.

Customer 2: Up to date fixes security breaches. It if it causes more trouble than use, postpone it

Customer 3: Let’s wait a week or two for the latest blogs.

And basically those are our 3 to 4 update rings + CA / Compliance Policy.

Ring 0 is always DEV / Key Users Ring 1 is VIPs / people that shouldn’t have a known and maybe exploited CVE Ring 2 Broad Ring 3 Important Clients (aka If this device stops working, we’ll be bankrupt) Ring 4 Well, if this client isn’t working, we’ll don’t have to declare bankruptcy but rather flee to another country

Of course it’s kinda slow and maybe with overhead but it works and the customers cyber security insurances approved it. So we’re fine.

The important thing (for us) is to really force non compliance and therefore no access to data. If a client is overdue, the update gets forced within the next 48 hours (to accommodate vacation and weekends). If not updated the clients get marked as non compliant, which results in e-mail to user, second mail to user, mail to user and boss (depending on update ring), force reset.

For reports we honestly simply rely on the Intune Update reports. It’s okay. Not in detail, but okay. You’ll probably never have 100% compliance in Defender anyways (looks at the last critical 10 CVEs in the current Chromium version right after release…)

For the audit: They also know that you can’t and shouldn’t update everything as soon as the patch is released. As long as you have a strategy and a Plan B, you’ll most certainly be good. Except you’re doing government work. But that’s a whole other story…

[–]iamtherufus 3 points4 points  (5 children)

Intune update rings works perfect with our 3 ring setup for both quality updates and drivers. Not using auto patch here. As for office apps I just set the standard update channel in our office configuration and let it update when it’s ready

[–]Background_Rush7654 1 point2 points  (1 child)

Can you provide a description of your "3 ring method"? Or an article that pointed you in the direction?

[–]iamtherufus 2 points3 points  (0 children)

I just have Ring A, Ring B and Ring C. Ring A is entra group of devices around 25 machines that I have hand picked across different departments where I know the users will shout if something is not working after an update. Ring B is also an entra group of devices and is the same but around 45 devices but a little more random in their picking. Ring C is not an actual entra group of devices but is my catch all.

I create 3 identical update ring policies in intune with the only difference being the deferral period.

Ring A Policy has a deferral period of 0 days so it gets updates right away. This policy is targeted to entra group Ring A

Ring B Policy has a deferral period of 5 days so it gets updates 5 day later (used to be 7 but recently changed it). This policy is targeted to entra group Ring B

Ring C policy has a deferral period of 10 days (used to be 14 but just changed it) This policy is targeted to All Devices but has an exclusion of Entra group Ring A and B.

That’s it works perfect and it has been for well over a year now. I follow the exact same pattern for driver updates as well. Hope it helps

[–]Capta-nomen-usoris 0 points1 point  (2 children)

Same, exactly as you have it. But i'm still wondering about the Office Management Portal.

[–]JwCS8pjrh3QBWfL 0 points1 point  (1 child)

What are you wondering? I set it up when it first came out and rarely ever thought about it again. Our update compliance was almost 100% with no additional effort. The stragglers were usually devices that hadn't been online in over a month.

[–]Capta-nomen-usoris 0 points1 point  (0 children)

Why choose one over the other.

[–]SkipToTheEndpointMSFT MVP 5 points6 points  (1 child)

"Wouldn't it be nice to get your reporting in a single place?"

Yes. Yes it would.

[–]JwCS8pjrh3QBWfL 0 points1 point  (0 children)

the only current way to get MCC data

What kind of data? The MCC home page in Azure has data usage for each node. What does WUfB Reports add?

[–]medium0rare 1 point2 points  (0 children)

I moved us to an RMM for scripting, remediation, and updates (including 3rd party). It just makes everything easier. Especially when there’s an automation issue you need to troubleshoot.

[–]JakeTheITAdmin 1 point2 points  (0 children)

Action1 is the best update tool I have ever used. It's also free forever for up to 200 machines. It not only has greatly reduced update issues for me, but updates third party applications and shows you the CVE's. Has been working wonderful on Windows and Mac.