Why Your Devices Are Skipping Updates in SCCM and Intune – And How to Fix It Fast

 




Ever wondered why some devices in your organization stubbornly refuse to get updates despite being in SCCM or Intune?

This represents a common challenge faced by administrators during the implementation of security patches. Administrators endeavor to fulfill their responsibilities and meet the expectations of the security, compliance teams, and management.

I was among those 😒 who initiated a hot seat challenge from August to October 2025. Many customers were affected, regardless of their Endpoint Management system, whether SCCM or Intune. Some of their devices repeatedly failed despite ongoing efforts🙄.

Why should I care?

When you work with Endpoints, you're engaging with your compliance and cybersecurity team, who want to make sure there are no security risks. They focus on Security Zero Trust and Conditional Access, so your users can smoothly access your organization's resources without being blocked just because a device isn't marked as compliant. 

 

I couldn't find anything in Windows logs device side,  on either the SCCM or Intune sides, and honestly, I’ve noticed this more with SCCM than with Intune, because many devices have received the update while some did not. However, my fix below applies to both management systems.



How to fix this issue?

This fix can be used as a workaround, like in my scenario where Microsoft has had issues with Windows updates during these months from August to October. So, it's not recommended to use it widely or monthly unless you have an issue and there's no clear reason why the update keeps failing until Microsoft fixes it next month.


1.      1. SCCM:

I came across this article from Microsoft that was discussing adding this registry key, it is old, but still active.

KB5005322—Some devices cannot install new updates after installing KB5003214 (May 25, 2021) and KB5003690 (June 21, 2021) - Microsoft Support

·         Open the command prompt ‘cmd’ as Admin,



·         We need to create this Registry Key to allow in place update directly from Microsoft to avoid any interruption by SCCM or WSUS.

Note: Please apply these changes to a test OU before you push it to production. Once you are satisfied, add all affected devices to this OU.

 

Reg.exe Add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion /v AllowInplaceUpgrade /t REG_DWORD /f /d 1




This registry Key will allow the device to receive the latest update to your Windows version, regardless of 23H2 or 24H2, etc. It will be a clean OS installation. This value will be removed once the update is in place, and your device will receive the update from your SCCM or Intune.



 



Enable Automatic Update. After testing, we recommend setting it to Automatic download, prompting the user to click Install, and prompting a restart.




Enable the source for Windows update to set Windows Update instead of WSUS, so the device will connect to Microsoft Servers to get OS version with the most recent update released by Microsoft.




Target specific Windows version, in the case I targeted Windows 11 23H2, if your environment is 24H2 or 25H2, please change it as shown in the screenshot below.




This is the information we received directly from Microsoft via Windows Update, not through WSUS. It’s specifically meant to fix your affected version with the latest update available. In this demo, I tested on Windows 11 23H2 with the November update, which was the most recent version at the time of testing.






2.      Intune

From Intune easier, by enabling 2 policies:

Allow Update Service: This setting lets your device access updates from Microsoft Update, Windows Server Update Services (WSUS), or the Microsoft Store. Even if you've set Windows Update to get updates through an intranet update service, your device will still occasionally check the public Windows Update service. This helps ensure smooth connections to Windows Update, Microsoft Update, and the Microsoft Store in the future. 




Ser policy Driven Update Source for Quality Updates




Ensure if you use GPO to target specific OU not inheritance any GPOs from your environment to make sure the device(s) in this OU will get the update then you can move it away from the Update OU, same thing with Intune ensure to target a test Group and the device is not part from another update group policy because that may end you up with conflict among policies.

 

The device completed the update and restarted with Windows 11 23H2 November build


Links:

Here are the articles we discussed:

 

KB5005322—Some devices cannot install new updates after installing KB5003214 (May 25, 2021) and KB5003690 (June 21, 2021) - Microsoft Support

 

Windows Update Troubleshooter for devices experiencing recurring issues installing monthly security updates - Microsoft Support

 

Use Windows Update client policies and Windows Server Update Services (WSUS) together | Microsoft Learn



Thanks for reading, and Happy New Year 🎆🎉


Comments

Post a Comment

Popular posts from this blog

New LAPS for Windows 11 24H2

Image
  Windows LAPS automatically manages and backs up the password of a local administrator account on devices joined to Microsoft Entra ID (formerly Azure AD) or Windows Server Active Directory. This feature helps protect against pass-the-hash and lateral-traversal attacks, enhances security for remote help desk scenarios, and facilitates device recovery if they become inaccessible.   As many of you know, LAPS for Entra joined devices was announced around 2023 and has worked perfectly since then on Entra, Hybrid, joined, and On-premises devices via AD as well. One of the big challenges we all know is that the first version (if I can say that) of LAPS did not allow you to create a new custom admin account or change the existing admin account, which meant we had to use custom configuration or scripts to do that.   Microsoft announced the new LAPS about 3 weeks ago via Arnab Mitra, Sr. Program Manager at Microsoft, and it was a great announcement. Let us go ahead and co...
Read more

How to block TikTok or other social media

Image
Have you considered blocking social media platforms like Facebook, TikTok, and others on corporate devices?   Many government entities in our community want to restrict access to social media on their official devices rather than personally owned devices (BYOD). There are several reasons for this. For example, in the USA, TikTok was blocked and unblocked.   There are many ways to do this, such as Firewall, Network, Microsoft Defender, and so on. However, I will discuss how to do it via Intune. Create a Policy:         Create a New Policy: Name it as you want and add the description.     Configuration settings > add settings > and search for “URL blocking” and pick both Google Chrome and Microsoft Edge. And pick the one for the device, not the user, did not work for me. Then add the URL you want to block to “ Block access to a list of URLs (Device)”. I went a little further by disallowing the users to run the TikTok application “...
Read more