Windows Autopatch Groups allows for easy staged rollouts of Windows Updates, Driver and Firmware updates and Office updates. You can create your deployment rings in your Autopatch Group dynamically or static assigned to a group of your choice:
Both options are great to have, and can make it pretty easy to manage your monthly update rollouts, you have your “testers” that get updates faster than the rest.
My issue with that is, I can’t use user based groups, and even if it would be possible, this would mean all devices of my testers are getting added to the first ring, but I want to give my users the choice to select which of their devices should get updates faster. After all, even when they agree to help use by being early adopters, they may still need a device that survives the first deployment ring 🙂
Solution
To solve that issue, we can use something that I posted already a while ago: User driven Device Group Membership – Mike’s MDM Blog
Just adjust the text in the PowerShell script a little bit to match our goal and use the group to assign our Ring1:
We can deploy this PowerShell script as an available Win32 App to all of our testers, so they can always just re-launch it from company portal, whenever they want to add or remove one of their test devices. Since the script can run without admin rights, we can directly run in our Win32 App without the need to make it visible with something like ServiceUI.exe from the MDT, as we don’t need it to run as system. To make it possible for our users to run it on Demand via Company Portal, we can again use something that I posted a while ago: Run Applications in Intune Company Portal on Demand – Mike’s MDM Blog
Optional: Device branding
One last thing, that I find quite helpful in our daily work. How can we easily identify which devices are in our early test deployment ring? Well, it’s really easy to see in Intune, just check the Group Membership tab, but what if we are remote connected to the device or even onsite? There are many options that we can go, if we are already using something like bginfo, we can add a value here to identify our devices. If we don’t have something like that in place, we can leverage a neat windows integrated way of watermarking our devices. By setting a regkey under:
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DWORD DisplayVersion 1
Which will result in the white watermark that you may remember seeing in safe mode or on Windows Insider builds:
We can deploy this regkey again via a simple script wrapped as Win32 App, that we can assign as required to our test device group, and as uninstall to all other devices. No need for a custom detection, we can use the regkey itself as detection. This way all our devices in Ring 1 will have the watermark visible and all others don’t, so we can see at first glance if a device is part of our test deployment ring or not.
Conclusion
While Autopatch Groups already gives you a lot of options by default with static groups and dynamic staged rollouts, combining it with a little bit of customization can make it a really powerful solution to manage all your update needs.
Leave a Reply