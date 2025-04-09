Microsoft has been making gradual improvements related to Windows updates for managed PCs. For example, back in May 2024, it introduced the ability to make feature update downloads optional, this means that they would no longer be forced onto users immediately. And to make systems more secure, earlier this year, Microsoft allowed devices to install quality updates and security patches during the OOBE with the introduction of new mobile device management (MDM) and group policy.

Today, in a new blog post, Microsoft has published a detailed step-by-step guide on how to troubleshoot feature update troubles on Windows 10 and 11 via Intune. Penned by Luke Ramsdale, a Senior Security Customer Escalation Engineer at the Microsoft Intune department, the guide is quite thorough as it walks you through all the steps one at a time.

Remember the recent checklist of things Microsoft released for devices that can't update to Windows 11? This guide is similar to that, as it is also a sort of checklist that IT admins can follow to help them fix or work around feature update problems.

It starts with confirming the prerequisites, and these include things like an Intune license, a supported Edition, Windows diagnostic data collection, among others. This is followed by update ring considerations, ways of dealing with conflicting feature update policies, and accounting for safeguard holds, like the recent example of the SenseShield software incompatibility block placed on Windows 11 24H2.

Finally, after all these considerations are made, Microsoft has explained how administrators can proceed with the troubleshooting part from the Intune admin center using the Windows feature update report.

Additionally, the guide has also highlighted how troubleshooting is possible from the client side too. At the end of the guide, the tech giant has provided a quick summary or TL;DR of everything it has gone through. Microsoft writes:

This blog covered many aspects of troubleshooting feature updates, here are the key points: Make sure the prerequisites are in place. It’s important to emphasize that implementing the prerequisites for feature updates is important to ensuring a smooth feature update deployment. Take time to ensure that these are configured correctly as this is especially important for reporting.

In more complex environments with Microsoft Entra hybrid joined devices, it’s important to ensure that there are no conflicting settings deployed from multiple sources, for example, having GPO settings, Microsoft Configuration Manager update policies, and conflicting Intune update policies deployed. Try to ensure that update policies are deployed from only one source. If multiple sources must be used, consider using the scan source group policy.

It’s possible to interact with Windows Autopatch using PowerShell cmdlets and Graph APIs. This provides insight into a tenant's configuration, but it’s not a requirement as Intune will configure this for you using feature update and update ring policies.

Note : It’s also important to understand that the Intune configured Windows Update client policies will not be visible via the PowerShell cmdlets or Graph APIs.

Take note of whether safeguard holds are applied to specific device models, checking the feature update failures report will assist with identifying these.

The device side event logs, Windows update logs, MDM diagnostics report, and registry values are all important sources for trying to narrow down why a device isn’t installing a feature update, or if a feature update was unexpectedly not installed or installed.

Collecting diagnostics from affected devices will gather the relevant logs and data required for troubleshooting, this is important to gather if a support request is opened.

You can read the guide in its full glory on the blog post here on Microsoft's official Tech Community website.