Hello! I am a Subject Matter Expert engineer with Microsoft’s FastTrack Center for M365 and have spent the last few years helping enterprises and SMB customers of all industries with their journey into modern management. Most recently with a focus on configuring Windows 365 Enterprise and then provisioning and managing Cloud PCs. Whether you are new to Microsoft Endpoint Manager (MEM), Windows 365 Enterprise or already leveraging both, I hope you find the following information useful for your Windows desktop environment.
Moving update management to MEM
One common conversation that continues to come up with all my customers who are leveraging Windows 365 Enterprise is update management of the OS on Cloud PCs. The question typically is, should you reprovision or leverage Windows Update for Business (WUfB) with MEM. It is understandable to have questions in this realm, as typically VDI environments are not treated the same as physical endpoints. If you are deciding an update strategy, the following information will highlight a few benefits for considering WUfB , value obtained by leveraging WUfB through Microsoft Endpoint Manager, and a comparison of another typical method used with Cloud PCs.
#1 Cloud PCs are fully MDM enrolled into Microsoft Endpoint Manager (MEM)
What you get from Windows 365 Enterprise: Since Cloud PCs are provisioned by Intune, this automatically means that the devices are fully enrolled and managed by Intune. The Windows 365 Enterprise documentation highlights that “you can manage it like any other Windows device in Microsoft Endpoint Manager.”
This means you can start leveraging configuration profiles and update policies through Intune. For some, this means adding the value of cloud management into their repertoire of management tools or strategies. Let’s look at those benefits next.
#2: Efficient strategy of how updates are applied through WUfB
What you get from WUfB: Windows Update for Business (WUfB) is a cloud-based engine that requires no additional infrastructure. The goal is to simplify the update management experience without having to approve each individual update by adopting a ring strategy. In addition, customers can benefit from Safeguard holds. A Safeguard hold prevents a device with a known issue from being offered a new operating system version. This benefit is unique to Windows Update for business, which means that you will not see it in another service like WSUS.
- WUfB preparation – Learn about using Windows Update for Business in Microsoft Intune | Microsoft Docs
- Windows as a service – Overview of Windows as a service – Windows Deployment | Microsoft Docs
- Safeguard holds – Safeguard holds – Windows Deployment | Microsoft Docs
When considering adopting WUfB for the organization, the key will be understanding and having a ring strategy that meets your organizational needs and expectations. Typically, what you would want from your ring strategy is that it helps you feel confident that you have validated and piloted as needed based on the business’ needs. Next, we will look at the control over updates through MEM.
#3: Full control of update management
What you get in MEM: Besides the use of Update ring policies in MEM to control deferral periods and servicing channels, customers now have exceptional control over feature updates and quality updates (monthly patches) with the following policies:
- Feature updates – Configure feature updates policy for Windows 10 Windows 11 devices in Intune | Microsoft Docs
- Quality updates – Use Intune to expedite Windows quality updates | Microsoft Docs
A point I like to highlight with customer of leveraging these policies is that whether the user is in the office or remote, these policies will apply since there is no dependency of an agent as you sometimes see with onprem based tools. Which means admins have full control of the Windows Update experience on the Cloud PC.
#4: Improved productivity for end-users
What users get: MEM has introduced a variety of options for IT admins to not only provide end-users with a great update experience but also stay secure
- User experience settings – https://docs.microsoft.com/en-us/mem/intune/protect/windows-update-settings#user-experience-settings
- Enforcing compliance deadlines for updates to keep the user up-to-date and secure – Enforce compliance deadlines with policies in Windows Update for Business (Windows 10) – Windows Deployment | Microsoft Docs
- Cloud PCs are always on, making it easier to manage after hours which means less interruptions for a user
It important to highlight that this means that organizations have the necessary control and flexibility over the experience each subset of their users are going to have.
Differences between Reprovisioning and WUfB
To help us understand and compare what reprovisioning is, I created the following table which describes a few of the key differences between reprovisioning a Cloud PC and leveraging Windows Update for Business (WUfB) to update the OS on the Cloud PC. For additional information on what and how to actually reprovision a Cloud PC, then I recommend looking at the following documentation:
As you can see, reprovisioning is a much different administrative action but could potentially meet your organizational needs depending on the scenario. This biggest call out is that reprovisioning will give a user a freshly new Cloud PC, which may be needed, while WUfB will simply update/patch the OS for the Cloud PC, such as moving from one feature build to another.
As you have probably noticed, one of the biggest benefits of Windows 365 Enterprise – Cloud PC is that it offers admins the ability and flexibility to remotely manage Cloud PCs from within the MEM portal. This means that when it comes to update management, there is no need to download, package or push out any feature update or quality update, but still have the necessary control over what and when something is made available to the Cloud PC. I hope you found the above information helpful! Stay tuned for more tips and recommendations on Windows 365 Enterprise – Cloud PC