Troubleshooting Of Windows Ring for update

Last updated by | Manish Kumar | Oct 17, 2022 at 6:52 AM EDT

Contents
• Article Overview:
• Procedure:
• Prerequisites:
• Understanding Windows Update Ring Policies
• Verifying Windows Update Ring Settings on a Target Device
• Check the policy deployment status in the Intune Portal
• Verify that update policy are managed by MDM
• Verify if Services are running
• Verify that the Registry keys are properly configured
• Check the MDM diagnostics report
• Troubleshooting Issues Relating to Windows Update Ring …
• Places to check In Event Viewer
• Quick checks in ODC
• Additional Information;
• How to Turn on Telemetry
• How to Enable Windows Health Monitoring
• Impacts:
• More Information:

TAGS: Windows Update rings troubleshooting

Article Overview:
This article will guide you through how to troubleshoot Windows ring policy Update cases.

Customer Approach: Once you followed the KB about the windows update ring policy and still facing some
issues, this kb will help you to determine its probable root cause. Make sure to have the ODC logs with you.

Procedure:
When deploying Windows Update Ring policies to Windows 10 devices using Microsoft Intune, if you ever
encounter an issue, it’s important that you first determine whether the issue is Intune-related or Windows-
related so that you can focus your troubleshooting efforts in the right place.

As part of that, a key question is whether the Intune policy has been successfully deployed to the target
device. Before I jump into that, however, let's first get a basic understanding of Windows Update Rings and
what their purpose is.

Prerequisites:
Make sure you followed our KB on the Windows update ring policy
Is the Update Health Tools installed ?​

If it's not installed download from this link https://www.microsoft.com/enus/download/details.aspx?

id=103324

Check windows health monitoring scope:

Confirm if windows update and update health services are not disabled. Open PowerShell with admin
credentials and run

Get-Service | Where-Object {($_.Name -eq “wuauserv” -or $_.Name -eq “uhssvc”)} | fl

 Telemetry needs to be turned on. Must have a non-0 value. ​If its zero, here is how to configure

Safeguard holds prevents devices with a known compatibility issue from being offered​a new Windows
10 feature update by using Windows Update. ​
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\AppCompatFlag
s\Appraiser\GWX

Gstatus must not be 0.

Windows Health Monitoring: be sure to set the Scope to Windows updates.​

This is used mainly for telemetry and reporting. No Intune portal reports without it. ​

Understanding Windows Update Ring Policies

Sometimes there can be a misunderstanding that Intune provides a cloud-based update service like WSUS
from which clients can download updates and hotfixes. This is not entirely accurate, however, as Windows
Update Ring policies only define an update strategy (e.g. block driver installation, set deferral period, set
maintenance time, etc.), they don’t actually provide the update infrastructure itself.

Think of it as being analogous to certain Group Policies for Windows Update deployed from your on-
premises Active Directory. This means that you still need to use your existing update solution such
as Windows Update or WSUS to obtain the actual updates.

NOTE You can find more information in Windows Update Rings here: https://docs.microsoft.com/en-
us/intune/windows-update-for-business-configure .
*
Windows Update Ring policies make use of the Windows Policy CSP to configure the update policies on the
Windows clients. Once Intune deploys the Windows Update Ring policy to an assigned device, Policy CSP
will write the appropriate values to the Windows registry to make the policy take effect. So now that we
know what these policies do, let’s look at how we can verify if the Windows Update Ring settings have been
successfully applied.

Verifying Windows Update Ring Settings on a Target Device

Let’s begin by assuming that you have deployed a Windows Update Ring policy with the settings shown
below:

How do we confirm that the settings have been applied to the targeted device? There are a few different
ways we can do that. Typically, the status in the portal is sufficient but others are explained should you find
them helpful when troubleshooting related issues.

Check the policy deployment status in the Intune Portal

The first thing you should always do is check the status of the policy in the Intune Portal:
As you can see above, everything looks good and is reporting a success. However, if there are issues or you
simply want confirmation, you can also verify the settings on the target device itself and we’ll go through
how to do that below.

Verify that update policy are managed by MDM

On the targeted Windows 10 device, go to Settings -> Updates and Security -> Windows Update -> Advanced
Options:

For windows 11: Settings -> Updates and Security -> Windows Update -> Advanced Options -> Configured
update policies
Click View configured update policies, then verify that the policy type is Mobile Device Management:

This confirms that the update policies are configured by our MDM solution, which in this case is Microsoft
Intune. However, it's possible that update policy is coming from the on-premises Active Directory, in which
case we would see Group Policy as the policy type:

If this is the case, it doesn't matter if the update policy you configure in Intune, the applied policy and the
observed behavior on windows is still going to be whatever is configured via Active Directory. So remove the
policy from Group Policy.

Verify if Services are running

Do check if the following services are running on windows devices or not.

Update Session Orchestrator – This service set the sequence of downloading and installing updates. It
schedules the scan, and verifies admin policies for download.
 Microsoft Sign-in Assistant – Make sure this service is running

Verify that the Registry keys are properly configured

If the Windows Update Ring policies are successfully deployed by Intune to the target device, you will be
able to see those settings in the Registry
under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update.

Here’s an example:

These values are configured by the Windows Policy CSP that is conferred in windows update ring policy so
you can verify that the values of the keys match the settings specified in your Update Ring policy. For more
information on each of these see https://docs.microsoft.com/en-us/windows/client-
management/mdm/policy-csp-update .

Check the MDM diagnostics report

Another option is to capture and view an MDM diagnostic report from a targeted device and see if you can
find the Windows Update Ring policy in it. If you can see the policy settings in the report, this is another
indication that the policy was successfully deployed. The Microsoft Helps video below explains how to
capture an MDM diagnostic report from a Windows device.

Troubleshooting Issues Relating to Windows Update Ring Policy

At this point we have a pretty good idea how to confirm that our Windows Update Ring policy is being
successfully deployed, but what do you do if they’re not? Here are a few things to check:

Is the device properly enrolled into Microsoft Intune? If not, you’ll need to address that before
troubleshooting anything specific to the policy.
Is there an active network connection on the device? If the device is in airplane mode, or it’s turned
off, or if the user has the device in a location with no service, the policy will not apply until network
connectivity is established.
Have you deployed the Windows Update Ring policy to the correct device group? Be sure to
double check that the correct devices really is in that group. This is an easy one that often gets
overlooked.
Does the deployment of the entire policy fail, or is it that only certain settings are not being
applied? If you find yourself faced with a scenario like this where only some policy settings are failing,
below are some more things you can check.

The first thing to do is verify that the setting is supported by the Windows version of the target device. To
give you an example, I recently worked with a customer who deployed a Windows Update Ring policy but
there was an error in the Intune Portal for Block user from scanning for Windows updates:

We started by checking to see what exactly the setting did and what the version requirements were. With a
quick check of the doc here , we saw that this is implemented by Policy CSP Update/SetDisableUXWUAccess:
By further checking the Windows reference documentation at https://docs.microsoft.com/en-
us/windows/client-management/mdm/policy-csp-update#update-setdisableux... , we could see that the
failed setting is only supported for Windows 1809 and above:

Armed with that information, we then verified that the effected devices were running Windows 1803 and
could then confirm that the issue disappeared once the device was upgraded to 1809.

As was the case here, if you can see that the Windows update policy type is set to Mobile Device
Management and the registry key values are correct, it’s usually safe to assume that the problem is not
directly related to Intune, but more likely an issue with the Windows client or an associated configuration in
the environment. This means you need to start looking in other areas like:

The Windows OS version on the target device.

If and how Windows Update is configured.
If and how WSUS is configured.

Places to check In Event Viewer

Event Viewer – Applications and Services – Microsoft – Windows – Device Management Enterprise
Diagnostics - Admin​

You should see the policy being deployed successfully. ​

 Event Viewer – Applications and Services logs – Microsoft – Windows – Windows Update Client​

You might find errors which could point you in the right direction. ​

Quick checks in ODC

https://aka.ms/IntuneODC collects numerous helpful information regarding Windows Updates: ​

ODC will also contain the information we have checked previously – Registry keys, Event Viewer logs, and
more.​

Intune\EventLogs\Event Log\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx​

Intune\Commands\Windows Update\Update_History.txt - list of installed updates and the success or

failure status codes​

Intune\Commands\Windows Update\WindowsUpdate.log - decoded Windows Update Log​

Intune\Commands\Windows Update\Windows_Updates_Debug.txt - enumeration of WU WMI classes. ​

Helpful to see the exit status of WU service and return codes from install attempts, as well as to see WU
settings.​

Intune\RegistryKeys\Registry\REG_SW_Microsoft_PolicyManager.txt - contains Windows Update policy

settings

Additional Information;
How to Turn on Telemetry
Login to Intune Portal
Go to Devices > Windows > Configuration Profile > Create Profile
Platform – Windows 10 and later
Profile Type – Templates
Select Device Restriction and click create

Name Your Profile and enter description (optional) and Click Next
Scroll Down to Reporting and Telemetry
Set Share Usage data to Required
Click Next
Select Scope tag if user has otherwise click next
In Assignment, assign the device group that was assigned to quality, feature and ring update or target
any group but make sure affected device should be included in the group
Click Next, Next, and Create.

How to Enable Windows Health Monitoring

Login to Intune Portal
Go to Devices > Windows > Configuration Profile > Create Profile
Platform – Windows 10 and later
Profile Type – Templates
Scroll down and click Windows health monitoring.
Select Create.
Name Your Profile and enter description (optional) and Click Next
In Configuration settings, configure the following settings:
For Health monitoring, set this value to Enable from drop down.
By enabling, Event information is collected from the devices, and sent to Microsoft for analytics and
insights.
For Scope, select Windows update, as we wanted to get information on windows updates.
Click Next
Select Scope tag if user has otherwise click next
In Assignment, assign the device group that was assigned to quality, feature and ring update or target
any group but make sure affected device should be included in the group
Click Next, Next, and Create.

Impacts:
This will help you to troubleshooting most of the windows update ring policy but even if you don’t find
anything, feel free to reach out your NT
More Information:
https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-troubleshooting-windows-
10-update-ring-policies/ba-p/714046

Created/Updated Created/Updated Approved

Version Tags
by On By

Ian Windows Update rings

Manish Kumar 18- March- 2022 1.0
Whitehill troubleshooting