管理軟體更新Manage software updates

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

「Windows 即服務」是更新 Windows 10 裝置的方式。Windows as a Service is the way to update Windows 10 devices. 使用 Windows 10,新的「功能更新」和「品質更新」會包含所有先前更新的內容。With Windows 10, new Feature Updates and Quality Updates contain the contents of all previous updates. 這表示只要您安裝了最新的更新,就能確定您的 Windows 10 裝置已更新至最新版。This means that as long as you've installed the latest update, you know that your Windows 10 devices are up-to-date. 不同於舊版 Windows,您現在必須安裝整個更新而不是部分更新。Unlike with previous versions of Windows, you now must install the entire update instead of part of an update.

使用商務用 Windows Update,可以簡化更新管理體驗,因此您不需要核准裝置群組的個別更新。By using Windows Update for Business, you can simplify the update management experience so that you don’t need to approve individual updates for groups of devices. 只要設定更新首度發行策略,您還是可以管理環境中的風險,Windows Update 會確保在適當的時間安裝更新。You can still manage risk in your environments by configuring an update rollout strategy and Windows Update makes sure that updates are installed at right time. Microsoft Intune 可讓您在裝置上設定更新設定,並可讓您延後更新的安裝。Microsoft Intune provides the ability to configure update settings on devices and gives you the ability to defer update installation. Intune 不會儲存更新,只會儲存更新原則指派。Intune doesn’t store the updates, but only the update policy assignment. 裝置會直接存取 Windows Update 以取得更新。Devices access Windows Update directly for the updates. 使用 Intune 來設定及管理 Windows 10 更新通道Use Intune to configure and manage Windows 10 update rings. 更新響鈴是一組包含何時及如何安裝 Windows 10 更新的設定。An update ring contains a group of settings that configure when and how Windows 10 updates get installed. 例如,您可以進行下列設定:For example, you can configure the following:

  • Windows 10 維護通道:選擇您希望裝置的群組要從半年通道 (已設定目標) 或半年通道收到更新。Windows 10 Servicing Channel: Choose whether you want groups of devices to receive updates from the Semi-Annual Channel (Targeted) or from the Semi-Annual Channel.
  • 延遲設定︰設定更新延遲設定,以延遲裝置群組的更新安裝。Deferral Settings: Configure update deferral settings to delay update installations for groups of devices. 使用這些設定讓您能推展階段性的更新,以便全程檢查過程進度。Use these settings to give you a staged update roll out so that you can review progress along the way.
  • 暫停︰如果您在更新首度發行期間發現問題,延後更新的安裝。Pausing: Postpone the installation of updates if you discover an issue at any point during the update rollout.
  • 維護期間︰設定可以安裝更新的時數。Maintenance window: Configure the hours in which updates can be installed.
  • 更新類型︰選擇要安裝的更新類型。Update type: Choose the types of updates that get installed. 例如,高品質更新、功能更新或驅動程式。For example, Quality Updates, Feature Updates, or drivers.
  • 安裝行為︰這會設定更新的安裝方式。Installation behavior: This configures how the update gets installed. 例如,裝置會在安裝後自動重新啟動嗎?For example, does the device automatically restart after the installation?
  • 同儕下載︰您可以指定是否要設定同儕下載。Peer downloading: You can specify whether to configure peer downloading. 如有設定,當裝置完成下載更新時,其他裝置可以從該裝置下載更新。If configured, when a device has finished downloading an update, other devices can download the update from that device. 這會加速下載程序。This speeds up the download process.

建立更新響鈴之後,將它們指派給裝置群組。After you create update rings, you assign them to groups of devices. 藉由使用更新響鈴,您可以建立可反映您業務需求的更新策略。By using update rings, you can create an update strategy that mirrors your business needs. 如需詳細資訊,請參閱使用商務用 Windows Update 來管理更新For more information, see Manage updates using Windows Update for Business.

開始之前Before you start

  • 若要更新 Windows 10 電腦,這些電腦必須至少執行 Windows 10 專業版並已安裝 Windows 年度更新。To update Windows 10 PCs, they must be running at least Windows 10 Pro with the Windows Anniversary update.

  • Windows Update 支援下列 Windows 10 版本:Windows Update supports the following Windows 10 versions:

    • Windows 10Windows 10
    • Windows 10 Team (適用於 Surface Hub 裝置)Windows 10 Team (for Surface Hub devices)

    不支援執行 Windows 10 行動版和 Windows 10 全像攝影版的裝置。Devices running Windows 10 Mobile and Windows 10 Holographic are not supported.

  • 在 Windows 裝置上,[意見與診斷] > [診斷與使用方式資料] 必須至少設定為 [基本]。On Windows devices, Feedback & diagnostics > Diagnostic and usage data must be set to at least Basic.

    診斷與使用方式資料的 Windows 設定

    您可以手動設定此設定,或使用 Intune 裝置限制設定檔 (用於 Windows 10 和更新版本)。You can configure this setting manually, or you can use an Intune device restriction profile for Windows 10 and later. 若要這樣做,請至少將 [一般] > [提交診斷資料] 的設定設為 [基本]。To do this, configure the setting General > Diagnostic data submission to at least Basic. 如需有關裝置設定檔的詳細資訊,請參閱如何設定裝置限制設定For more information about device profiles, see How to configure device restriction settings.

  • 在 Intune 管理主控台中,有四種設定可控制軟體更新行為。In the Intune administration console, there are four settings that control software updates behavior. 這些設定是 Windows 10 桌上電腦和行動裝置上,一般組態原則的一部分:These settings are part of the general configuration policy for Windows 10 desktop and Mobile devices:

    • 允許自動更新Allow automatic updates
    • 允許發行前版本功能Allow pre-release features
    • 已排程的安裝日Scheduled Install Day
    • 已排程的安裝時間Scheduled Install Time

    傳統入口網站在裝置組態設定檔中也有一些其他的 Windows 10 更新設定。The classic portal also has a limited number of other Windows 10 updates settings in the device configuration profile. 當您移轉至 Azure 入口網站時,如果在 Intune 管理主控台中設定了這些設定,強烈建議您執行下列操作︰If you have any of these settings configured in the Intune administration console when you migrate to the Azure portal, we strongly recommend that you do the following:

  1. 在 Azure 入口網站上,以您需要的設定建立 Windows 10 更新響鈴。Create Windows 10 update rings in the Azure portal with the settings that you need. Azure 入口網站已不再支援 [允許搶鮮版功能] 設定,因其不再適用於最新的 Windows 10 組建。The Allow pre-release features setting is not supported in the Azure portal because it is no longer applicable to the latest Windows 10 builds. 當您建立更新響鈴時,可以設定另外三個設定,以及其他 Windows 10 更新設定。You can configure the other three settings, as well as other Windows 10 updates settings, when you create update rings.

    注意

    移轉之後,在傳統入口網站中建立的 Windows 10 更新設定不會顯示在 Azure 入口網站中。Windows 10 updates settings created in the classic portal are not displayed in the Azure portal after migration. 不過,這些設定仍會繼續套用。However, these settings continue to be applied. 如果您有移轉這些設定,並在 Azure 入口網站中編輯移轉的原則,這些設定將會從原則中移除。If you have migrated any of these settings and edit the migrated policy from the Azure portal, these settings are removed from the policy.

  2. 刪除傳統入口網站中的更新設定。Delete the update settings in the classic portal. 移轉至 Azure 入口網站,並新增相同設定到更新響鈴之後,您必須在傳統入口網站中刪除這些設定,以避免任何可能發生的原則衝突。After you migrate to the Azure portal and add the same settings to an update ring, you must delete the settings in the classic portal to avoid any potential policy conflicts. 例如,相同的設定若使用不同的值將會造成衝突且無從得知,因為在傳統入口網站中設定的設定不會顯示在 Azure 入口網站。For example, when the same setting is configured with different values there is a conflict and no easy way to know because the setting configured in the classic portal does not display in the Azure portal.

如何建立及指派更新響鈴How to create and assign update rings

  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [監視 + 管理] > [Intune]。Choose More Services > Monitoring + Management > Intune.
  3. 在 [Intune] 刀鋒視窗中,選擇 [軟體更新]。On the Intune blade, choose Software Updates.
  4. 在 [軟體更新] 刀鋒視窗中,選擇 [管理] > [Windows 10 更新響鈴]。On the Software Updates blade, choose Manage > Windows 10 Update Rings.
  5. 在顯示更新響鈴清單的刀鋒視窗中,選擇 [建立]。On the blade showing the list of update rings, choose Create.
  6. 在 [建立更新響鈴] 刀鋒視窗中,提供更新響鈴的名稱和描述 (選擇性),然後選擇 [設定]。On the Create Update Ring blade, supply a name and optional description for the update ring, and then choose Settings.
  7. 在 [設定] 刀鋒視窗中,設定下列資訊:On the Settings blade, configure the following information:

    • 維護通道:設定裝置接收 Windows 更新的通道 (半年通道 (已設定目標) 或半年通道)。Servicing channel: Set the channel for which the device receives Windows updates (Semi-Annual Channel (Targeted) or Semi-Annual Channel.
    • Microsoft 更新︰選擇是否要從 Microsoft Update 掃描應用程式更新。Microsoft updates: Choose whether to scan for app updates from Microsoft Update.
    • Windows 驅動程式︰選擇是否要在更新期間排除 Windows Update 驅動程式。Windows drivers: Choose whether to exclude Windows Update drivers during updates.
    • 自動更新行為︰選擇要如何管理自動更新行為,以進行掃描、下載及安裝更新。Automatic update behavior: Choose how to manage automatic update behavior to scan, download, and install updates. 如需詳細資訊,請參閱 Update/AllowAutoUpdateFor details, see Update/AllowAutoUpdate.
    • 品質更新延遲期間 (天) - 指定品質更新延遲的天數。Quality update deferral period (days) - Specify the number of days for which quality updates are deferred. 最多可以延遲接收「品質更新」至其發行後 30 天。You can defer receiving these Quality Updates for a period of up to 30 days from their release.

      品質更新通常會修正和改進現有的 Windows 功能,而且通常在每個月的第一個星期二發行,不過 Microsoft 也可能在任何時間發行。Quality Updates are generally fixes and improvements to existing Windows functionality and are typically published the first Tuesday of every month, though can be released at any time by Microsoft. 您可以定義在品質更新發行後,「是否」要延遲以及延遲「多久」接收品質更新。You can define if, and for how long, you would like to defer receiving Quality Updates following their availability.

    • 功能更新延遲期間 (天) - 指定功能更新延遲的天數。Feature update deferral period (days) - Specify the number of days for which Feature Updates are deferred. 您可以延遲接收「功能更新」至其發行後 180 天。You can defer receiving these Feature Updates for a period of 180 days from their release.

      功能更新一般是 Windows 的新功能。Feature Updates are generally new features for Windows. 進行 [維護通道] 設定之後 (半年通道 (已設定目標) 或半年通道),您接著可以定義在 Microsoft 於 Windows Update 發行「功能更新」後,是否要延遲接收「功能更新」,以及要延遲多久。After you configure the Servicing channel setting (Semi-Annual Channel (Targeted) or Semi-Annual Channel, you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update.

      例如:For example:
      若維護通道已設為 [半年通道 (已設定目標)] 且延遲期間為 30 天:可以假設「功能更新 X」會在 1 月以半年通道 (已設定目標) 首度公開發行。If the Servicing channel is set to Semi-Annual Channel (Targeted)and the deferral period is 30 days: Let's say that Feature Update X is first publicly available on Windows Update as aSemi-Annual Channel (Targeted) in January. 裝置要到 2 月 (30 天後) 才會接收更新。The device will not receive the update until February - 30 days later.

      若維護通道已設為 [半年通道] 且延遲期間為 30 天:可以假設「功能更新 X」會在 1 月以半年通道 (已設定目標) 首度公開發行。If the Servicing channel is set to Semi-Annual Channel and the deferral period is 30 days: Let's say the Feature Update X is first publicly available on Windows Update as a Semi-Annual Channel (Targeted) in January. 四個月後 (4 月),「功能更新 X」才會發行到半年通道。Four months later, in April, Feature Update X is released to Semi-Annual Channel. 裝置將會在此半年通道發行的 30 天後收到「功能更新 X」,並將在 5 月更新。The device will receive the Feature Update 30 days following this Semi-Annual Channel release and will update in May.

    • 傳遞最佳化 - 選擇裝置將下載 Windows 更新的方法。Delivery optimization - Choose the method for which devices will download Windows updates. 如需詳細資訊,請參閱 DeliveryOptimization/DODownloadModeFor details, see DeliveryOptimization/DODownloadMode.

  8. 完成設定後,按一下 [確定],然後在 [建立更新響鈴] 刀鋒視窗中按一下 [建立]。Once you are done, click OK, and then on the Create Update Ring blade, click Create.

新的更新響鈴會隨即顯示在更新響鈴清單中。The new update ring is displayed in the list of update rings.

  1. 若要指派更新響鈴,在更新響鈴清單中,選取響鈴,在 [<響鈴名稱>] 索引標籤中選擇 [指派]。To assign the ring, in the list of update rings, select a ring, and then on the <ring name> tab, choose Assignments.
  2. 在下一個索引標籤中,選擇 [選取群組],然後選擇要指派此響鈴的群組。On the next tab, choose Select groups, and then choose the groups to which you want to assign this ring.
  3. 完成之後,選擇 [選取] 來完成這項指派。Once you are done, choose Select to complete the assignment.

更新合規性報告Update compliance reporting

您可以在 Intune 中檢視更新合規性,或使用 Operations Management Suite (OMS) 中稱為 Update Compliance 的免費解決方案。You can view update compliance in Intune or by using a free solution in the Operations Management Suite (OMS) called Update Compliance.

在 Intune 中檢視更新合規性Review update compliance in Intune

檢視原則報告,以檢視您已設定之 Windows 10 更新通道的部署狀態。Review a policy report to view the deployment status for the Windows 10 update rings that you have configured.

  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [監視 + 管理] > [Intune]。Choose More Services > Monitoring + Management > Intune.
  3. 在 [Intune] 刀鋒視窗中,選擇 [軟體更新]。On the Intune blade, choose Software Updates.
  4. 在 [軟體更新] 刀鋒視窗中,選擇 [概觀]。On the Software Updates blade, choose Overview. 您可以從這裡看到您指派之任何更新通道的狀態一般資訊。From here, you can see general information about the status of any update rings you assigned.
  5. 請開啟下列其中一個報表:Open one of the following reports:

    針對所有的部署通道:For all deployment rings:

    1. 在 [軟體更新] > [Windows 10 更新通道] 刀鋒視窗上。On the Software updates > Windows 10 Update Rings blade.
    2. 在 [監視] 區段,選擇 [依更新通道別部署狀態]。In the Monitor section, choose Per update ring deployment state.

    針對特定的部署通道:For specific deployment rings:

    1. 在 軟體更新 > Windows 10 更新通道 刀鋒視窗上,選擇要檢視的部署通道。On the Software updates > Windows 10 Update Rings blade, choose the deployment ring to review.
    2. 在 [監視] 區段中,從下列報表選擇,以檢視更新通道的更多詳細資訊:In the Monitor section, choose from the following reports to view more detailed information about the update ring:
      • 裝置的更新通道部署Update ring deployment for devices
      • 使用者的更新通道部署Update ring deployment for users
      • 每個設定部署狀態Per-setting deployment state

使用 OMS 檢視更新合規性Review update compliance using OMS

您可以使用 Operations Management Suite (OMS) 中的免費解決方案 Update Compliance 來監視 Windows 10 更新的首度發行。You can monitor Windows 10 update rollouts by using a free solution in the Operations Management Suite (OMS) called Update Compliance. 如需詳細資訊,請參閱使用Update Compliance 來監視 Windows UpdatesFor details, see Monitor Windows Updates with Update Compliance. 當您使用此解決方案時,可以將商業識別碼部署至任何您用 Intune 管理、且要報告更新合規性的 Windows 10 裝置。When you use this solution, you can deploy a commercial ID to any of your Intune managed Windows 10 devices for which you want to report update compliance.

在 Intune 主控台中,您可以使用自訂原則的 OMA-URI 設定來設定商業識別碼。In the Intune console, you can use the OMA-URI settings of a custom policy to configure the commercial ID. 如需詳細資訊,請參閱 Microsoft Intune 中 Windows 10 裝置的 Intune 原則設定For details, see Intune policy settings for Windows 10 devices in Microsoft Intune.

用於設定商業識別碼的 OMA-URI (區分大小寫) 路徑是:./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialIDThe OMA-URI (case sensitive) path for configuring the commercial ID is: ./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID

例如,您可以在 [新增或編輯 OMA-URI 設定] 中使用下列值:For example, you can use the following values in Add or edit OMA-URI Setting:

  • 設定名稱:Windows Analytics 商業識別碼Setting Name: Windows Analytics Commercial ID
  • 設定描述︰設定 Windows Analytics 解決方案的商業識別碼Setting Description: Configuring commercial ID for Windows Analytics solutions
  • 資料類型:字串Data Type: String
  • OMA-URI (區分大小寫):./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialIDOMA-URI (case sensitive): ./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID
  • :<使用 OMS 工作區中的 [Windows 遙測] 索引標籤上顯示的 GUID>Value: <Use the GUID shown on the Windows Telemetry tab in your OMS workspace>

診斷與使用方式資料的 Windows 設定

如何暫停更新How to pause updates

您可以讓裝置暫停接收功能更新或品質更新一段期間,自您暫停更新起最多 35 天。You can pause a device from receiving Feature Updates or Quality Updates for a period of up to 35 days from the time you pause the updates. 經過天數上限之後,暫停功能會自動過期,裝置將掃描 Windows Updates 尋找可用的更新。After the maximum days have passed, pause functionality will automatically expire and the device will scan Windows Updates for applicable updates. 在這次掃描後,您可以再一次暫停更新。Following this scan, you can pause the updates again.

  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [監視 + 管理] > [Intune]。Choose More Services > Monitoring + Management > Intune.
  3. 在 [Intune] 刀鋒視窗中,選擇 [軟體更新]。On the Intune blade, choose Software Updates.
  4. 在 [軟體更新] 刀鋒視窗中,選擇 [管理] > [Windows 10 更新響鈴]。On the Software Updates blade, choose Manage > Windows 10 Update Rings.
  5. 在顯示更新響鈴清單的刀鋒視窗中,選擇您要暫停的響鈴,然後選擇 [...] > [暫停品質] 或 > [暫停功能],取決於您要暫停的更新類型。On the blade showing the list of update rings, choose the ring you want to pause, and then, choose ... > Pause Quality > or Pause Feature, depending on the type of updates you want to pause.

重要

在您發出暫停命令後,裝置會在下次向服務確認時收到此命令。When you issue a pause command, devices receive this command when they next check into the service. 也有可能在確認更新之前,就已經執行排定的更新。It's possible that before they check in, they might install a scheduled update. 此外,當您發出暫停命令時如果目標裝置已關閉,當您開啟裝置時,它可能會下載並安裝排定的更新,然後再去向 Intune 確認。Additionally, if a targeted device is turned off when you issue the pause command, when you turn it on, it might download and install scheduled updates before it checks in with Intune.