Windows Intune: Groups and Updates

This is part of an ongoing series about Windows Intune. This week will focus on groups and updates.


In Intune, groups work similarly to collections in SCCM. You can group devices and users for various tasks, such as organization or deployment of software. Just like with collections in SCCM, membership can be based on criteria (similar to queries) or direct adds. Groups can be added under the All Users or All Groups nodes. One difference between Intune and SCCM is that you cannot divide groups into sub-folders.


To create a group, click “Create Group” from the tasks section. Give your group a name, and select a parent group. Just as with SCCM, groups can only contain either users or devices, not both; which parent group you select will determine which type of group this is. I am going to create a device group.


Next, we can define criteria for this group. This will make the group dynamic, meaning that when a device fits the criteria, it will be added to the group. Two functions to look at here are the “Device Type” and “Start group membership with” boxes. The device type box defines if this group has computers or mobile devices. Next, start group membership tells the system if you want all of the devices from the parent group included with this group. Next, we can define which organizational units or domains make up this group. Currently, that is all of the criteria that can be selected.

Next, the direct membership screen allows us to directly add devices to a group. Define this as needed. Next, you can see a summary of what was selected and finally create the group.


I can now see the status of my new group by clicking on it. You can also see the devices in this group by clicking “Devices”.



The update function works similarly to a standard WSUS infrastructure. Administrators can use this screen to approve updates for their clients. The first step is defining what products we want to update. Most of this is limited to Windows-based devices. To begin defining products, click “Select Classifications and Products” from the tasks screen. You should get a screen similar to this:


Go through this screen and define everything that your organization needs. If you have seen SCCM or WSUS before, this list should be pretty familiar. At the bottom of the screen you are allowed to set up automatic approval rules. Define these as needed for your organization.

After setting up what update classifications and products you need, select a category, such as “Critical Updates”. You should get something that looks like this:


This is listing of all of the updates available for approval. When you select one, you notice that the description, publisher, KB article, and information about the OS for this update appears. At the top of the windows, you can also a filter that can be helpful, especially since I am currently seeing 1000+ updates. Seeing that many updates illustrates the point of only searching for what you need, so if you see a large number, go back and redefine your list of products.

After you find an update that needs to be deployed, select it (or multiple updates) and click on the “Approve” button at the top. You will be asked which group to deploy it too. After that, you can define whether to install it required or available, and also define a deadline.


At the bottom, you are also given information about whether or not the update requires a restart:


After you have defined approval and deadline, click Finish to deploy the update. After approval, you can check and see that it has been changed to approved:



All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistant.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.