Intune provides various options for managing Windows feature updates. However, troubleshooting can become complex due to the involvement of both client and server sides. This article offers an overview of the management options, along with technical background information like updatable assets and troubleshooting tips.
Intune management options
When designing your Windows Update for Business architecture, the most important policies you will find in Intune are:
· Windows update rings
· Windows feature updates
Common scenarios are the usage of Update rings only or a combination of both (set “Feature update deferral period” to “0” in the update ring and let the feature update policy manage the desired major Windows version). From a technical point of view, it is important to understand what is happening in background:
Windows update rings: Basically, an update ring is containing settings that are applied on the local device (like GPOs). You will see them in Windows settings as “Configured update policies”. So, a device will contact the Windows Update service and filter if the offered updates are applicable (e.g. based on the deferral period):
Windows feature updates: Feature update policies are using the Windows Update for Business deployment service which offers applicable updates to devices. So, a feature update policy is using the server side to control updates and will not push down settings to your local device (compared to the update ring).
Updatable Assets
When creating a feature update policy, assigned devices are onboarded to the Windows Update for Business deployment service. In the background, they are represented as “updatableAsset” what can be checked via Graph API:
GET https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/{updatableAsset-id}The {updatableAsset-id} is equal to the Entra ID device ID. As an example, let’s grab a device that is assigned to a feature update policy and use Graph Explorer the check the status:
So, this device is onboarded with a policy. By the way, quality and driver update policies are using the same mechanism. States you might also see in the field are “notEnrolled” (normally the case when you just use Windows update rings) or “enrolling”. If the device cannot be found, it is not onboarded at all.
One of the most important things you should know: “When a device is no longer assigned to any feature update policies, the device remains enrolled in the deployment service”, as stated in "Feature updates for Windows 10 and later policy in Intune." If you’ve used a feature update policy just temporarily and switched back to update rings only, the devices will not receive feature updates any more as they are still managed via the updatableAssets. To remove a device from this management you will have to options:
unenroll device from Intune (suitable for phase out)
delete the onboarding via Graph API
Offboard device from updatableAssets
To offboard a device completely, just run a DELETE. Note that this also offboards quality and driver updates:
DELETE https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/{updatableAsset-id}To just onboard feature update management, the Graph API offers:
POST
https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/unenrollAssets
Body:
{
"updateCategory": "feature",
"assets": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "{updatableAsset-id}"
}
]
}Status from 29.01.2025: It should return "202 Accepted". Currently, I'm getting "204 No Content". The offboarding API for dedicated enrollments might have changed.
Client side
Besides settings from update rings, there are additional blockers that might stop devices from installing feature updates:
Safeguard holds: This is marker that temporarily prevents devices from receiving new feature updates. It is based on known issues by customers, partners or Microsoft internal validation to not encounter problems during the update process. It will get an unique ID. To check details the Windows release health dashboard > Known issues might be worth a look.
Example: Windows 11, version 24H2
“Some devices that have Dirac Audio with cridspapo.dll might lose audio output” is assigned to safeguard ID: 54283088.
Upgrade Experience Indicators: This marker summarizes known compatibility issues by flagging it with “Red”, “Orange”, “Yellow” or “Green”.
Examples for status “Red”: No TPM 2.0 support, CPU not compatible, Secure Boot not supported.
More details and examples: Manage Windows 11 readiness dashboard using Configuration Manager
As summary, check the following on the client side:
Update ring settings: Is a deferral period preventing a feature update from being in scope?
Check via Intune or Windows settings > Windows Update > Advanced options > Configured update policies.
Safeguard hold: Is the device having an active Safeguard Hold?
Check via Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\
You will find folders for higher feature update versions.
Watch out for “GatedBlockId”. If there is an ID listed, search to web for more details.
Upgrade Experience Indicators: Is the device having a red, orange or yellow flag?
Check via Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\
You will find folders for higher feature update versions.
Watch out for the status of “UpgEx” and "RedReason".
Conclusion
Check the following if your clients are not receiving feature updates:
Server side: Is the device managed by a feature update policy?
Yes: Verify if the desired version is selected and check updatableAssets if the device is “enrolledWithPolicy”. Proceed with the client side.
No: Check if the device is still managed via updatableAssets. If so, remove the onboarding.
Client side:
Review Update ring settings.
Check for Safeguard holds.
Check the Upgrade Experience Indicators.
Also be careful when removing devices from feature update policies as the onboarding is sticky what requires manual offboarding via Graph API.
Curious can a device belong to an Update ring and a Windows features update? Wondering in our scenario if that could be causing the issue or conflict. What if the Ring is deferred to 60 days and then the WFU is trying to perform the update (i.e. 23H2 to 24H2). Just curious how the Update ring should be configured?