I
L
T
A
W
H
I
T
E
P
A
P
E
R
|
T
E
C
H
S
O
L
U
T
I
O
N
S
7
for controlling a progressive rollout to deployment rings while letting the
Microsoft CDN host the actual content. These policies, particularly in Intune,
provide more than just deferrals for staged rollout; they also provide numerous
end user experience settings related to both the installation of the updates and
the required reboots.
Intune policies now also provide a means of targeting specific Windows
10 versions to users, so if you have a fleet of systems on older 1803 or 1809
builds and want to upgrade them to 1903 you can do so even though it's not the
latest release.
While deferring to Microsoft to host content helps ensure clients can be
properly updated no matter where they are, it doesn't mean all machines go directly
to the CDN for that content. Microsoft has integrated Delivery Optimization
into the Windows 10 OS to provide secure peer-to-peer distribution of content.
This doesn't mean that your CTO's laptop will be randomly chosen to provide
a 5GB Windows 10 Feature Update to a thousand systems at your firm while
they're giving a presentation and on 45% battery; the Delivery Optimization
feature has an extensive list of settings that can be controlled by policy (via
Group Policy or Intune) to ensure optimal performance.
As mentioned previously, Intune Endpoint Protection policies can be
used to encrypt devices with BitLocker and report encryption status. This
allows for storing recovery keys in Azure AD which can then be retrieved
by the end user or by IT, and the keys can be rotated after use for added
Figure 2 Windows Update end user experience settings in Intune
Figure 3 Sample Windows 10 Feature Update policy in Intune
