Intune Patching Audit Plan
Audit Purpose: To ensure all Intune-managed devices are fully patched without issues.
When: Update Ring audits should occur on the 2nd, 3rd and 4th Friday of every month. Intune patching group memberships should be audited every 6 months.
Who: Sr Desktop Support Analyst and Support Services Manager
Conducting the Update Ring Audit:
Sign into Microsoft Endpoint Manager admin center
Select Devices > Monitor > Under Software Updates choose Per ring deployment state > Now chose the update ring you wish to audit.
From here you’ll see two pie graphs split into Succeeded, Error, Conflicts, Pending, and Not applicable for users and devices. Click within the ring to pull a list of devices that were unsuccessfully patched and begin troubleshooting steps.
Conducting the Intune Patching Group Audit:
Pull reports from Active Directory of all current users and ensure each user is part of an Intune patching group. We also want to make sure that users are evenly distributed between Groups 2 and 3.
Reminder: Management of the groups is done on Active Directory, not Intune.
Troubleshooting Steps:
-Verify that the device Updates are being managed by MDM on the device in question.
Go to Settings > Updates and Security > Windows Update > Advance Options > and click on View configured update policies. Under each policy, you should see Type: if it displays Mobile Device Management then its controlled by Intune. However, if it is showing Group Policy it won’t matter what update policy you configure in Intune, the applied policy and the observed behavior is still going to be whatever is configured via Active Directory and should be changed from there.
-Conflicted devices typically mean the user has been assigned to two patch groups. Check users membership in Active Directory and remove one of the groups.
-Not Applicable means the user has signed into a co-managed device and the SCCM removal powershell should be ran.