Windows Update for Business Patching using Intune | WUfB Patching Process

This week, let’s talk about How to Configure Windows Update for Business Patching using Intune. Microsoft introduced Windows Update for Business in the middle of 2017.

Windows Update for Business (WUfB) has been available since Windows 10 version 1511. Microsoft kept working on improving to provide IT professionals with greater control and deliver an enhanced end-user experience.  

Windows Update for Business, IT administrators can update all Windows client devices in their organization with the latest security updates (hotfix) and Windows features by connecting these devices directly to the Windows Update service.

I see that Small/medium/large organizations can leverage it for better control over their corporate and internet-connected devices. You also can check the WindowsUpdate.log review in the below section of this post.

Patch My PC

You may ask, how about Azure VM’s running Windows Servers? Refer to the MS reference for server patching: Server Patching with Azure Update Management for Azure Servers.

The following blogs have detailed information as well:

PREREQUISITES

To deploy the updates using Windows Update for Business (WUfB) using Intune requires the below prerequisites.

Operating System Requirements

Microsoft Windows Update for Business (WUfB) applies only to Windows 10 and Windows 11 operating systems. The Windows Update for Business (WUfB) service is free by Microsoft. It supports the below editions,

Adaptiva
  • Windows 10/11 Pro
  • Windows 10/11 Enterprise
  • Windows 10/11 Team
  • Windows Holographic for Business

Unsupported OS: LTSC support for Windows 10/11 Enterprise: Windows Update for Business (WUfB) does not support the Long Term Service Channel release.

How to Configure Windows Update for Business Patching using Intune | WUfB Patching Process 1
How to Configure Windows Update for Business Patching using Intune | WUfB Patching Process 1

Device Enrollment Requirements

The Windows 10/11 device should either be enrolled in Intune MDM, hybrid AD joined, or Azure AD joined.

MECM (aka SCCM) Co-Management Requirements

If your organization uses the MECM (aka SCCM) co-management scenario, the slider for Software Update is set to Intune.

Microsoft Account Sign-in Assistant (wlidsvc) Service

This setting is required for a Feature update for Windows 10/11 rollout.   It fails to receive updates if the service is blocked or set to Disabled.  The service is set to Manual (Trigger Start) by default, so it will run whenever it is required.

Telemetry Configuration (only required for Feature updates)

Implement Telemetry as part of the Device Restriction policy in Windows 10/11. Under Reporting and Telemetry, the device restriction profile configure the Share usage data with a minimum value of Required.

TYPE OF UPDATES SUPPORTED IN INTUNE

The Windows Updates for Business (WUfB) support the following Update Categories for Windows 10/11 devices.  

  • Feature updates
  • Quality updates
  • Driver updates
  • Microsoft product updates

UPDATE RING SETTINGS

There are two sections in the Update ring settings, Update settings and User experience settings. For each section, there are settings to configure the update rings for the deployment.

Update settings

Here, you can find information about the Update (hotfix) deployment settings. About the deferral period, Deferrals allow you to specify the number of days after an update is released before it is offered to a particular device.

If you set a 365-day feature update deferral period, the device will not install a feature update released in less than 365 days.

Update settingsSettings
Microsoft product updatesAllow or Block
Windows driversAllow or Block
Quality update deferral period (days)The value must be between 0 to 30
Feature update deferral period (days)The value must be between 0 to 365
Upgrade Windows 10 devices to the Latest
Windows 11 release
Yes or No
Set feature update uninstall period (2 – 60 days)The value must be between 2 to 60
Enable pre-release buildsEnable or Not Configured
Select pre-release channel·         Windows Insider – Release Preview
·         Beta Channel
·         Dev Channel  
How to Windows Update for Business Patching using Intune- Update settings

User experience settings

This section will have the User experience settings, which will allow you to customize the environment for the end-user experience. The User experience settings will vary based on your environment requirements.

User experience settingsSettings
Automatic update behavior·         Notify download
·         Auto install at maintenance time

Active hours start – 12 AM to 11 PM
Active hours end – 12 AM to 11 PM
·         Auto install and restart at maintenance time
Active hours start – 12 AM to 11 PM
Active hours end – 12 AM to 11 PM
·         Auto install and restart at a scheduled time

Automatic behavior frequency:
· Every Week
· First week of the month
· Second week of the month
· Third week of the month
· Fourth week of the month

·         Auto install and reboot without end-user control

·         Reset to default
Restart checksAllow or Skip
Option to pause Windows updatesEnable or Disable
Option to check for Windows updatesEnable or Disable
Change notification update level·         Not configured
·         Use the default Windows Update notifications
·         Turn off all notifications, excluding restart warnings
·         Turn off all notifications, including restart warnings
Use deadline settingsAllow or Not configured
Deadline for feature updatesNumber of days, 2 to 30
Deadline for quality updatesNumber of days, 2 to 30
Grace periodNumber of days, 0 to 7
Auto reboot before the deadlineYes or No
How to Configure Windows Update for Business using Intune – User experience settings

Configure Windows Update for Business Patching using Intune

This section, let’s see how to Configure Windows Update For Business Using the Microsoft Intune console.

  • Open the Microsoft Endpoint Manager admin center.
  • Select Devices in the left-hand panel and then click the Update ring for Windows 10 and later.
  • Click Create a profile to create the new update ring policy.
How to Configure Windows Update for Business using Intune - Create an updated ring
How to Configure Windows Update for Business Patching using Intune – Create an updated ring

In the Basics tab, type the Name and Description of the deployment information and then click Next.

How to Configure Windows Update for Business Patching using Intune - Update ring Basic tab
How to Configure Windows Update for Business Patching using Intune – Update ring Basic tab

In the Update ring settings tab, you can configure the Update settings and User experience settings as per your requirement and click Next. I have chosen basic settings to deploy the updates in my lab environment.

Develop a strong update strategy that includes a minimum of three rings of Test, Pilot, and Production. More Details -> Intune Monthly Patching Guide Software Update Patching Options with Intune WUfB

How to Configure Windows Update for Business Patching using Intune - Update ring settings tab
How to Windows Update for Business Patching using Intune – Update ring settings tab

In the Scope tags tab, click Next.

Note: If you would like to assign a scope for this assignment, you can add it by selecting +Select scope tags

How to Configure Windows Update for Business Patching using Intune - Scope tab
How to Configure Windows Update for Business Patching using Intune – Scope tab

In the Assignments tab, you can assign these update rings by selecting the Add groups ( I have always chosen device groups).

How to Configure Windows Update for Business Patching using Intune - Assignments tab
How to Configure Windows Update for Business Patching using Intune – Assignments tab

Once you choose and select the AAD group, Click Next.

Note: You can exclude the AAD group part of this deployment if you are going with an update ring model.

How to Configure Windows Update for Business Patching using Intune - Assignments tab
How to Configure Windows Update for Business Patching using Intune – Assignments tab

Review the update ring configuration in the Review + create tab and click Create to complete the update ring deployment.

How to Configure Windows Update for Business using Intune - Review + create a tab
How to Configure Windows Update for Business using Intune – Review + create a tab

HOW TO CHECK WUfB LOG IN WINDOWS 10 or Windows 11 CLIENT

Let’s check WUfB logs from Windows devices. In Windows 10 or Windows 11 client, you can refer to the WindowsUpdate.log for status and errors by generating a log file with the PowerShell cmdlet Get-WindowsUpdateLog.

Open the Powershell model and type Get-WindowsUpdateLog and then enter.

More Details – How to enable WindowsUpdate.log using the PowerShell method and use CMPivot to collect the logs.

How to Configure Windows Update for Business using Intune - Get-Windowsupdate.log
How to Configure Windows Update for Business using Intune – Get-Windowsupdate.log

The Windowsupdate.log file is successfully generated, and the file was automatically saved into the <Users>\desktop folder path.

How to Configure Windows Update for Business using Intune
How to Configure Windows Update for Business using Intune – Windowsupdate.log file

Review Windows Update for Business – Windowsupdate.log

Example of Windowsupdate.log information, you can review the update and error status of the specific device.

2022/05/04 16:00:14.1202150 272 3992 SLS Get response for service 9482F4B4-E343-43B6-B170-9A65BC822C77 – forceExpire[False] asyncRefreshOnExpiry[False]
2022/05/04 16:00:14.1202194 272 3992 SLS path used for cache lookup: /SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.19042.985/0?CH=534&L=en-US&P=&PT=0x4&WUA=10.0.19041.1265&MK=Microsoft+Corporation&MD=Virtual+Machine
2022/05/04 16:00:14.1282270 272 3992 SLS Get response for service 9482F4B4-E343-43B6-B170-9A65BC822C77 – forceExpire[False] asyncRefreshOnExpiry[False]
2022/05/04 16:00:14.1282305 272 3992 SLS path used for cache lookup: /SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.19042.985/0?CH=534&L=en-US&P=&PT=0x4&WUA=10.0.19041.1265&MK=Microsoft+Corporation&MD=Virtual+Machine
2022/05/04 16:00:14.1294152 272 3992 Misc Set CDN prefix to 2
2022/05/04 16:00:14.1295278 272 3992 DownloadManager Update the URLs for DO Job 220C652C-F4C5-4270-A0BD-D9BA79D5C0CC – Update 107BDEBA-50A9-4A9F-B5CE-606905AFDB88.1
2022/05/04 16:00:14.1300626 272 3992 DownloadManager 0 of 1 files’ URLs are updated.
2022/05/04 16:00:14.1302807 272 3992 DownloadManager Download job 220C652C-F4C5-4270-A0BD-D9BA79D5C0CC resumed.

2022/05/04 16:00:14.1416634 272 3992 DownloadManager All files for update 4BE2AD98-FE70-47D3-9DA1-CE40ADA86E9C.1 were already downloaded and are valid.
2022/05/04 16:00:14.1528294 272 3992 DownloadManager Setting DO job 15D9EB3C-853D-483E-8626-CC92131183F1 as the last job for update 4BE2AD98-FE70-47D3-9DA1-CE40ADA86E9C.1
2022/05/04 16:00:14.2107223 272 5372 DownloadManager DO job {220C652C-F4C5-4270-A0BD-D9BA79D5C0CC} completed successfully, updateId = 107BDEBA-50A9-4A9F-B5CE-606905AFDB88.1
2022/05/04 16:00:14.2144367 272 5372 Handler Received completion event for update 107BDEBA-50A9-4A9F-B5CE-606905AFDB88 with 2 files
2022/05/04 16:00:14.2804413 272 3992 SLS Get response for service 9482F4B4-E343-43B6-B170-9A65BC822C77 – forceExpire[False] asyncRefreshOnExpiry[False]
2022/05/04 16:00:14.2804449 272 3992 SLS path used for cache lookup: /SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.19042.985/0?CH=534&L=en-US&P=&PT=0x4&WUA=10.0.19041.1265&MK=Microsoft+Corporation&MD=Virtual+Machine
2022/05/04 16:00:14.2882383 272 3992 SLS Get response for service 9482F4B4-E343-43B6-B170-9A65BC822C77 – forceExpire[False] asyncRefreshOnExpiry[False]
2022/05/04 16:00:14.2882418 272 3992 SLS path used for cache lookup: /SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.19042.985/0?CH=534&L=en-US&P=&PT=0x4&WUA=10.0.19041.1265&MK=Microsoft+Corporation&MD=Virtual+Machine
2022/05/04 16:00:14.2893217 272 3992 Misc Set CDN prefix to 2
2022/05/04 16:00:14.2894972 272 3992 DownloadManager Update the URLs for DO Job 982761A9-1949-4F1C-93D8-10A9E84F610A – Update 8CB6FA1F-C986-434D-95F5-BBBDAEDF38F5.1
2022/05/04 16:00:14.2899875 272 3992 DownloadManager 0 of 1 files’ URLs are updated.
2022/05/04 16:00:14.2902310 272 3992 DownloadManager Download job 982761A9-1949-4F1C-93D8-10A9E84F610A resumed.

2022/05/04 16:00:14.3054869 272 3992 SLS Get response for service 9482F4B4-E343-43B6-B170-9A65BC822C77 – forceExpire[False] asyncRefreshOnExpiry[False]
2022/05/04 16:00:14.3054903 272 3992 SLS path used for cache lookup: /SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.19042.985/0?CH=534&L=en-US&P=&PT=0x4&WUA=10.0.19041.1265&MK=Microsoft+Corporation&MD=Virtual+Machine
2022/05/04 16:00:14.3136611 272 3992 SLS Get response for service 9482F4B4-E343-43B6-B170-9A65BC822C77 – forceExpire[False] asyncRefreshOnExpiry[False]
2022/05/04 16:00:14.3136669 272 3992 SLS path used for cache lookup: /SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.19042.985/0?CH=534&L=en-US&P=&PT=0x4&WUA=10.0.19041.1265&MK=Microsoft+Corporation&MD=Virtual+Machine
2022/05/04 16:00:14.3148995 272 3992 Misc Set CDN prefix to 11
2022/05/04 16:00:14.3150214 272 3992 DownloadManager Update the URLs for DO Job DD8A0D1C-134C-45FF-BDB2-B73363F1310F – Update B995C52D-0BCA-4AC9-B981-489AF40B1CB2.1
2022/05/04 16:00:14.3155727 272 3992 DownloadManager 0 of 1 files’ URLs are updated.
2022/05/04 16:00:14.3157675 272 3992 DownloadManager Download job DD8A0D1C-134C-45FF-BDB2-B73363F1310F resumed.

Download execute or completion event for WUfB

2022/05/04 16:00:14.3330856 272 3992 SLS Get response for service 9482F4B4-E343-43B6-B170-9A65BC822C77 – forceExpire[False] asyncRefreshOnExpiry[False]
2022/05/04 16:00:14.3330895 272 3992 SLS path used for cache lookup: /SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.19042.985/0?CH=534&L=en-US&P=&PT=0x4&WUA=10.0.19041.1265&MK=Microsoft+Corporation&MD=Virtual+Machine
2022/05/04 16:00:14.3347249 272 3992 DownloadManager Queueing update 107BDEBA-50A9-4A9F-B5CE-606905AFDB88.1 for download handler request generation.
2022/05/04 16:00:14.3347911 272 3992 DownloadManager Handler can skip block validation for update 107BDEBA-50A9-4A9F-B5CE-606905AFDB88.1
2022/05/04 16:00:14.3412575 272 7660 DownloadManager Disabling chunked mode for download. updateid: 107BDEBA-50A9-4A9F-B5CE-606905AFDB88.1
2022/05/04 16:00:14.3412903 272 7660 DownloadManager Generating download request for update 107BDEBA-50A9-4A9F-B5CE-606905AFDB88.1.
2022/05/04 16:00:14.3417338 272 7660 DownloadManager Calling into handler 0x9 to generate download request for update 107BDEBA-50A9-4A9F-B5CE-606905AFDB88.1.
2022/05/04 16:00:14.3449709 272 7660 DownloadManager Found existing StreamingDataSource for update {107BDEBA-50A9-4A9F-B5CE-606905AFDB88} [d:D867215F]
2022/05/04 16:00:14.3450420 272 7660 Handler AppX GDR: Existing deployment operation for 107BDEBA-50A9-4A9F-B5CE-606905AFDB88
2022/05/04 16:00:14.3450443 272 7660 Handler AppX GDR: Waiting 0 ms for download execute or completion event.

2022/05/04 16:00:14.3450463 272 7660 Handler AppX GDR: WAIT_TIMEOUT seen. Wait timed out.
2022/05/04 16:00:14.3450550 272 7660 DownloadManager GenerateDownloadRequest returned WU_E_OPERATIONINPROGRESS for update 107BDEBA-50A9-4A9F-B5CE-606905AFDB88.1.
2022/05/04 16:00:14.3593700 272 8852 Handler CAppxRangeRequestJobNoBlockValidation::Run {107BDEBA-50A9-4A9F-B5CE-606905AFDB88} [d:D867215F]: Signalling Execution Event
2022/05/04 16:00:14.3609997 272 8852 DownloadManager Subscribing to GDR Retry due to async handler trigger.

2022/05/04 16:00:14.3610065 272 8852 Handler CAppxRangeRequestJobNoBlockValidation::Run {107BDEBA-50A9-4A9F-B5CE-606905AFDB88} [d:D867215F]: Begin Wait
2022/05/04 16:00:14.3610093 272 8852 Handler CAppxRangeRequestJobNoBlockValidation::Run {107BDEBA-50A9-4A9F-B5CE-606905AFDB88} [d:D867215F]: Signalling Execution Event
2022/05/04 16:00:14.3610278 272 8852 DownloadManager Subscribing to GDR Retry due to async handler trigger.

2022/05/04 16:00:14.3611157 272 8852 Handler CAppxRangeRequestJobNoBlockValidation::Run {107BDEBA-50A9-4A9F-B5CE-606905AFDB88} [d:D867215F]: Begin Wait
2022/05/04 16:00:14.3666189 272 3992 SLS Get response for service 9482F4B4-E343-43B6-B170-9A65BC822C77 – forceExpire[False] asyncRefreshOnExpiry[False]
2022/05/04 16:00:14.3666224 272 3992 SLS path used for cache lookup: /SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.19042.985/0?CH=534&L=en-US&P=&PT=0x4&WUA=10.0.19041.1265&MK=Microsoft+Corporation&MD=Virtual+Machine
2022/05/04 16:00:14.3739610 272 3992 SLS Get response for service 9482F4B4-E343-43B6-B170-9A65BC822C77 – forceExpire[False] asyncRefreshOnExpiry[False]

2022/05/04 16:00:14.3739645 272 3992 SLS path used for cache lookup: /SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.19042.985/0?CH=534&L=en-US&P=&PT=0x4&WUA=10.0.19041.1265&MK=Microsoft+Corporation&MD=Virtual+Machine
2022/05/04 16:00:14.3750304 272 3992 Misc Set CDN prefix to 2
2022/05/04 16:00:14.3751259 272 3992 DownloadManager Update the URLs for DO Job 982761A9-1949-4F1C-93D8-10A9E84F610A – Update 8CB6FA1F-C986-434D-95F5-BBBDAEDF38F5.1
2022/05/04 16:00:14.3755393 272 3992 DownloadManager 0 of 1 files’ URLs are updated.
2022/05/04 16:00:14.3757290 272 3992 DownloadManager Download job 982761A9-1949-4F1C-93D8-10A9E84F610A resumed.

2022/05/04 16:00:14.3901238 272 3992 SLS Get response for service 9482F4B4-E343-43B6-B170-9A65BC822C77 – forceExpire[False] asyncRefreshOnExpiry[False]
2022/05/04 16:00:14.3901277 272 3992 SLS path used for cache lookup: /SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.19042.985/0?CH=534&L=en-US&P=&PT=0x4&WUA=10.0.19041.1265&MK=Microsoft+Corporation&MD=Virtual+Machine
2022/05/04 16:00:14.3986922 272 3992 SLS Get response for service 9482F4B4-E343-43B6-B170-9A65BC822C77 – forceExpire[False] asyncRefreshOnExpiry[False]
2022/05/04 16:00:14.3986975 272 3992 SLS path used for cache lookup: /SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.19042.985/0?CH=534&L=en-US&P=&PT=0x4&WUA=10.0.19041.1265&MK=Microsoft+Corporation&MD=Virtual+Machine
2022/05/04 16:00:14.3998062 272 3992 Misc Set CDN prefix to 11
2022/05/04 16:00:14.3999033 272 3992 DownloadManager Update the URLs for DO Job DD8A0D1C-134C-45FF-BDB2-B73363F1310F – Update B995C52D-0BCA-4AC9-B981-489AF40B1CB2.1

MONITOR THE UPDATE RING STATUS

In this section, let’s see how to check the overall deployment status of the update rings.

  • Open the Microsoft Endpoint Manager admin center.
  • Select Devices in the left-hand panel and then click the Update ring for Windows 10 and later and select the specific update ring to view the status.
How to Configure Windows Update for Business using Intune - Update ring deployment status
How to Configure Windows Update for Business using IntuneUpdate ring deployment status

I would recommend always having a deployment strategy using Intune, considering the total number of devices or Users / per ring. Review the risk associated with the Quality update/feature update releases.

If it is, Windows 10 Pro allows 18months of support from the date of release, so always have an upgrade plan ready for Windows 10 Pro editions. If it, Windows 10 Enterprises allows 30months of support from the autumn releases.

Author

Kannan C S is a Technical Architect with more than 15 years of experience in the IT domain. He has worked on various technologies like Windows server administration, SCCM, SCOM, and Desktop Engineering domains. For the last 10 years, he has worked in Microsoft SCCM, focusing on Configuration Manager and Intune technologies.

6 thoughts on “Windows Update for Business Patching using Intune | WUfB Patching Process”

  1. thx for all the info…we are performing this update on a testgroup and half of the devices don’t get the update. Is there any errors i can specific search for in the log ? Any recommendations if wsus is still pointing to sccm ? thx

    Reply
  2. Nice article, it would be great if you include deliver optimization with this for windows patching within a network.

    Reply
  3. is the only option to follow up the deployment is the WUFB workbook into azure?

    Why can’t microsoft centralise this in the intune portal?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.