Troubleshooting Windows Feature updates in Microsoft Intune

Managing Windows feature updates through Microsoft Intune is crucial for maintaining device security and performance. However, administrators may encounter challenges during deployment. This guide outlines essential troubleshooting steps to address common issues with feature update policies in Intune.

Prerequisites for Feature Update Deployment

Before deploying feature updates, ensure the following prerequisites are met:​

• Licensing Requirements: Devices must have appropriate licenses that include access to the Windows Update for Business deployment service, such as:​

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)

  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)​

  • Windows Virtual Desktop Access E3 or E5​

  • Microsoft 365 Business Premium​

  These licenses enable features like gradual rollout and optional feature updates.​

• Telemetry Configuration: Deploy a device restriction policy to all targeted devices, setting the "Share usage data" option to "Required." This ensures accurate reporting and telemetry.​

• Diagnostic Data Collection: Configure diagnostic data collection tenant-wide in the Intune admin center under Tenant administration > Connectors and tokens > Windows data. Proper configuration is vital for accurate feature update reporting.​

• Service Status:

  • Microsoft Account Sign-in Assistant: Ensure this service is not disabled; it should be set to "Manual" by default.​

  • Connected User Experiences and Telemetry: Confirm this service is set to "Automatic" and is running.​

• Supported Windows Versions: Devices should be running supported editions such as Professional, Enterprise, or Education.​

• Network Connectivity: Verify that devices can access necessary Intune and Windows Update endpoints.​

Configuring Update Rings with Feature Update Policies

When deploying update rings alongside feature update policies, consider the following:​

• Feature Update Deferral Period: Set this to '0' days to avoid delaying feature updates.​

• Upgrade to Latest Windows 11 Release: If enabled, eligible Windows 10 devices will upgrade to the latest Windows 11 feature update, potentially overriding specific feature update policies.

Common Troubleshooting Steps

If devices are not receiving or installing feature updates as expected:

1. Policy Assignment Verification: Ensure that the feature update policy is correctly assigned to the intended device groups.

2. Update Compliance Monitoring: Utilize Intune's reporting features to monitor update compliance and identify devices that are not updating.​

3. Windows Update Service Checks: Confirm that the Windows Update service is running and not disabled on the devices.​

4. Registry Configuration: Verify that registry settings align with the deployed policies.​

5. Safeguard Holds: Be aware of any safeguard holds that might prevent the update from being offered to certain devices due to known compatibility issues.​

6. Manual Update Attempts: Attempt to manually initiate the update on a device to determine if the issue is with policy deployment or the update process itself.​

By systematically verifying prerequisites, configuring policies correctly, and utilizing Intune's monitoring tools, administrators can effectively troubleshoot and resolve issues related to Windows feature updates in Microsoft Intune.

The future of Mac device management is with Microsoft Intune

​Managing Mac devices in the enterprise has traditionally been a complex task, often requiring multiple tools and platforms. However, Microsoft Intune is transforming this landscape by offering a unified, efficient, and secure solution for macOS management.​

Key Advantages of Using Microsoft Intune for Mac Management:

• Unified Device Management: Intune allows organizations to manage all devices—Windows, macOS, iOS, and Android—through a single platform, simplifying administration and ensuring consistent policies across different operating systems.

• Enhanced Security and Compliance: With robust security features like encryption enforcement, password requirements, and remote wipe capabilities, Intune helps protect corporate data on Mac devices. Administrators can enforce compliance policies to ensure devices adhere to organizational standards.

• Seamless Application Deployment: Intune simplifies the deployment and management of applications on Mac devices, supporting both DMG and PKG app package types. This ensures users have access to necessary software without complex procedures. 

• Declarative Device Management (DDM): Intune supports Apple's DDM protocol, enhancing policy delivery performance and enabling more robust device compliance and app inventory capabilities. ​

• Integration with Microsoft Ecosystem: Intune integrates seamlessly with Microsoft Entra ID (formerly Azure Active Directory) and other Microsoft services, providing a cohesive and secure environment for device management.

By leveraging Microsoft Intune, organizations can streamline their Mac management processes, enhance security, and provide a better experience for both IT administrators and end-users.​

For a more in-depth look at how Intune is revolutionizing macOS management, check out this Microsoft Mechanics podcast:

Microsoft Mechanics Podcast

Note: This post is inspired by insights from the Microsoft Tech Community blog on macOS management with Intune.

Migrating ADE iOS Devices to Intune

The following article helps IT Pros and mobile device administrators understand some of the finer details regarding iOS device migration from an existing MDM platform to Intune when using Apple’s Automated Device Enrolment program (ADE), formally known as the Device Enrolment Program (DEP). We receive a lot of questions on how best to approach the issue of factory resets and how to handle the Apple Business Manager (ABM) side of things. We hope this article helps with some of the decisions you will face when deciding the best path forward for your organization.

 

As you migrate your mobile device management to Microsoft Intune, arguably one of the most important parts of the transition will be the impact to your users. Before considering how you will migrate your devices to Intune, it is important to understand your device landscape and how your employees are using their devices. This information will largely drive your migration path.

 

Based on our experience working with customers, the following are the most common points that will help you decide how you will migrate, and what the user experience will be during the migration:

• You currently have iOS Apple Business Manager devices enrolled in another MDM platform.

  • In this scenario, the devices will need to be moved to a new (Intune) MDM server in Apple Business Manager to be able to pick up an Intune ADE profile.

  • Devices must be factory reset to properly enrol in Intune and remain in a fully supported state with Microsoft and Apple.

• Users store personal data on these devices.

  • Devices with personal data on them will need to be backed up by the user to their iCloud account if they wish to retain it, however this does require you to backup corporate data to a consumer cloud service that is not controlled by your organization.

  • Devices must be unenrolled from the current MDM platform before the final backup is taken.

  • If users decide to use the restore option in the Apple Setup Assistant, once the restore is complete they will have to visit the App Store to install the Intune Company Portal.

• Users backup the device to personal iCloud.
  • Backing up a device while it is still enrolled in your current MDM will mean the management profile will also be backed up, and, subsequently, re-applied to the device at the point of restore.
• You are/are not willing to factory reset the devices.
  • The only supported way to enrol an ADE device is from the out-of-box experience, which requires a factory reset of the device. While it is technically possible to unenroll from one MDM platform and enrol into Intune manually via the App Store version of Company Portal, this is not recommended for several reasons:

    • It is not possible to “lock” a management profile to a device enrolled in this manner (however, the device does retain its “supervised” state).

    • The device will not show as being enrolled against an ADE profile in Intune, which means any configuration applied based on that logic will not be applied to the device.

    • Devices will not get automatically marked as “Corporate”.

 

NOTE: If you ever need to re-enrol your ADE device, you must first add the IMEI number of that device as a corporate identifier. You might need to re-enrol your ADE device if you are troubleshooting an issue, like the device not receiving policy. In this case, you would:

1. Retire the device from the Intune console.
2. Add the device's serial number as a corporate device identifier.
3. Re-enrol the device by downloading the Company Portal and going through device enrolment.

Failing to do this will mean the device will be marked as “Personal” and not “Corporate”.

 

Now let us look at an example scenario that we commonly see when working with our customers.

 

Example iOS scenario

Contoso has iOS ADE devices currently enrolled in an MDM platform. They allow their staff to use their personal Apple IDs on their devices and store personal data on them. Most of their users do this, and back-up their content to iCloud. Staff understand that devices may, from time to time, need to be factory reset and may be wiped if lost or stolen. Contoso IT wants the migration to Intune to be done as quickly as possible, so they are only managing two MDM platforms for a short time. They want minimal IT interaction when it comes to users enrolling their devices. Contoso has users in regions where ADE is not supported by Apple.

 

In this example, the migration flow for ADE devices could look like this:

1. IT Pro Action: In Apple Business Manager, move the user’s device to the new Intune MDM Server and sync devices in Intune.
2. IT Pro Action: Unenroll the device from the current MDM.
3. User Action: Backup the device to iCloud.
4. User Action: Factory reset the device.
5. User Action: Enrol device through ADE flow (do not select restore option as this will break the enrolment flow).
6. User Action: Once enrolled, add Apple ID and Once enrolled, add Apple ID and let the data resync to the device.

 

This procedure ensures that the data on the device is backed up without the old management profile and the device has been enrolled correctly with the new Intune-based ADE profile. Many of our customers add the user to a Conditional Access group after step #3, which blocks access to corporate resources until the user enrols and their device is compliant.

 

In the same example, the migration flow for non-ADE devices would look like this:

1. IT Pro Action: Unenroll the device from the current MDM.

2. User Action: Backup the device to iCloud.

3. User Action: Download Company Portal from the App Store.

4. User Action: Enrol device through Company Portal app.

5. User Action: Once enrolled, add Apple ID and restore any required data.

 

NOTE: The Intune service synchronizes with Apple at the following frequencies*:

• ADE: Once every 12 hours
• VPP: Once every 15 hours

*It is possible to run a manual synchronization, or use a synchronization script to increase the frequency, which can be found here (ADE) and here (VPP).

 

Conclusion

As you can see from the examples, the migration path will largely be determined by the way the devices are being used by your employees, so it is important to do some analysis before deciding the best path forward for your organization.

 

More info and feedback

For further resources on this subject, please see the links below.

 

Supported operating systems and browsers in Intune

Automatically enroll iOS/iPadOS devices with Apple's Automated Device Enrolment

Enroll iOS/iPadOS devices in Intune

Backup and restore scenarios for iOS/iPadOS

Troubleshoot iOS/iPadOS device enrolment problems in Microsoft Intune

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community Page, or leave a comment below.

 

Follow @MSIntune and @IntuneSuppTeam  on Twitter.