This is the second post in a three-part series on topics surrounding Windows Intune client update behavior. The first post covered the overall client update process; this post will detail the available Updates policy settings and what effect these policy settings have on the client behavior.
First, let’s be clear on some terminology:
By default no policies are applied to clients, so the behavior is based upon the current settings state for the operating system that is installed on the computer. These settings could be the default for the operating system, manually configured, or applied via another policy mechanism such as Active Directory Group Policy. So the Windows Intune administrator cannot be confident in the state of these settings until configuring and deploying a policy. (Note: if you are applying both Windows Intune and Active Directory policies be sure to read the Windows Intune Online Help article for Planning Around Group Policy.)
The Updates Policy Settings are contained in the Windows Intune Agent Settings policy template, amongst settings for other features. The Windows Intune Online Help has a policy reference article that details the seven current policy settings in the Updates category, including the description, possible values, and the default/recommended value. I highly recommend reading this article first to understand these policy settings; I’m not going to rehash what’s already well documented there.
However, I do want to describe the relationship between these policy settings and the mandatory updates. As I mentioned in my previous post these updates are processed slightly differently from other software updates.
A few key points to emphasize:
So what’s the outcome behavior that your end users will see? The following examples assume a user is logged on. Remember, if no user is logged on the restart is automatic.
Coming Soon to Updates Policy…
With the Windows Intune December 2012 Release we are introducing a new Updates policy setting as well as some improvements to the client behavior.
The following new policy setting will reside with the other Updates policy settings in the Windows Intune Agent Settings template:
This policy setting determines whether the logged on user is prompted to restart Windows when the Windows Intune client agent mandatory update requires Windows to restart. This only applies to Windows Intune client agent mandatory updates.
Recommended Value: Yes
This new setting does not change any existing or default behavior; following the upgrade to our next release there will be no default change to client notification behavior. If you require a greater level of control over the notifications that your end users receive this setting can be deployed to silence the notifications due to mandatory updates. If you remember from my previous post in this series, WISDM signals WI-AU when a mandatory update requests a restart. This setting basically controls that signal; the process is the same otherwise (Agent Sync still runs on its schedule and mandatory updates are still downloaded and installed). So configuring this setting to “No” will result in no prompt displaying to users when a mandatory update requests a restart, but that also means the updated Windows Intune feature may not be available until Windows is restarted. You then need to trigger that necessary restart via some other mechanism (for example, by a scheduled update or remote task).
A few key points regarding this new setting:
We also made some changes to the client notification behavior in general. Now the primary notifications will occur in the Windows taskbar notification area with the Windows Intune Center icon. Here is an example flow of how this will look.
On Windows 8 clients the Windows Intune Center icon will change to reflect the need to restart, but there is no active notification like the balloon. Clicking the icon will bring up the notification window.
I hope this post impressed upon you the importance of reviewing the configuration of your policy settings and understanding how they will change the behavior of updates deployed in your organization. So now that you understand why mandatory updates need to happen, how they are affected by policies, and what happens when they request a restart, in the third and final post of this series I will delve into the when. Or at least what sort of notifications we provide so that you can receive advanced warning when mandatory updates are released.
Second sentence, first paragraph: "and what affect these policy settings have on the client behavior." Should be "effect".
A classic grammatical mistake, thanks for catching it. I found another one of a similar type that I corrected as well.
Thanks for the article! Quick question: if "Prompt user to restart Windows during Windows Intune client agent mandatory updates' is not configured at all, then does the machine automatically restart?
Hi Brian -
Not configuring this setting is functionally the same as configuring it with the 'Yes' value: the user will be notified. The only scenarios in which the machine will automatically restart is if a user is not logged on or a deadline has passed for another update that requires restart.