Windows Intune: Groups and Updates

This is part of an ongoing series about Windows Intune. This week will focus on groups and updates.


In Intune, groups work similarly to collections in SCCM. You can group devices and users for various tasks, such as organization or deployment of software. Just like with collections in SCCM, membership can be based on criteria (similar to queries) or direct adds. Groups can be added under the All Users or All Groups nodes. One difference between Intune and SCCM is that you cannot divide groups into sub-folders.


To create a group, click “Create Group” from the tasks section. Give your group a name, and select a parent group. Just as with SCCM, groups can only contain either users or devices, not both; which parent group you select will determine which type of group this is. I am going to create a device group.


Next, we can define criteria for this group. This will make the group dynamic, meaning that when a device fits the criteria, it will be added to the group. Two functions to look at here are the “Device Type” and “Start group membership with” boxes. The device type box defines if this group has computers or mobile devices. Next, start group membership tells the system if you want all of the devices from the parent group included with this group. Next, we can define which organizational units or domains make up this group. Currently, that is all of the criteria that can be selected.

Next, the direct membership screen allows us to directly add devices to a group. Define this as needed. Next, you can see a summary of what was selected and finally create the group.


I can now see the status of my new group by clicking on it. You can also see the devices in this group by clicking “Devices”.



The update function works similarly to a standard WSUS infrastructure. Administrators can use this screen to approve updates for their clients. The first step is defining what products we want to update. Most of this is limited to Windows-based devices. To begin defining products, click “Select Classifications and Products” from the tasks screen. You should get a screen similar to this:


Go through this screen and define everything that your organization needs. If you have seen SCCM or WSUS before, this list should be pretty familiar. At the bottom of the screen you are allowed to set up automatic approval rules. Define these as needed for your organization.

After setting up what update classifications and products you need, select a category, such as “Critical Updates”. You should get something that looks like this:


This is listing of all of the updates available for approval. When you select one, you notice that the description, publisher, KB article, and information about the OS for this update appears. At the top of the windows, you can also a filter that can be helpful, especially since I am currently seeing 1000+ updates. Seeing that many updates illustrates the point of only searching for what you need, so if you see a large number, go back and redefine your list of products.

After you find an update that needs to be deployed, select it (or multiple updates) and click on the “Approve” button at the top. You will be asked which group to deploy it too. After that, you can define whether to install it required or available, and also define a deadline.


At the bottom, you are also given information about whether or not the update requires a restart:


After you have defined approval and deadline, click Finish to deploy the update. After approval, you can check and see that it has been changed to approved:




Written by , Posted .