This week is all about something relatively new with Microsoft Intune and that is managing Visual Studio settings. Many settings for managing Visual Studio were already available via registry keys and ADMX-files. Those ADMX-files could already be imported within Microsoft Intune, but are now also directly available within the Settings Catalog with the latest service release (2305). That enables organizations to easily manage the most important configuration settings that are required to at least make sure that the basics of the Visual Studio installation are compliant with the company policies. An important part of that is managing the updates for Visual Studio. That can make sure that the installations of Visual Studio within the organization, at least have the latest security updates installed. This post will look at using the available configuration settings for Visual Studio for managing the updates. That’s achieved with an introduction to the different updates for Visual Studio, followed with the steps for configuring Visual Studio. This post will end with experiencing the configuration.
Note: At this moment, managing updates Visual Studio updates are not yet part of Windows Autopatch.
Introducing Visual Studio updates
Before looking at managing updates for Visual Studio, it’s important to understand the updates that are available. Like any other Microsoft product, Visual Studio must be updated regularly to fix security vulnerabilities, to add new features, and to deliver performance and reliability fixes. Nothing new or strange there. When managing updates for Visual Studio, it’s about Visual Studio administrator updates. These administrator updates are not initial installs and assume that Visual Studio is already installed. Besides that, administrator updates come in different flavors and depending on the flavor it’s available via one or more of the different distribution channels. Those distribution channels are Windows Server Update Service (WSUS), Windows Update for Business (WUfB), and the Microsoft Update Catalog. The following table provides a brief overview of those update types, the distribution channel and a short description.
| Update type | Distribution channel | Description |
|---|---|---|
| Security updates | Windows Server Update Services, Windows Update for Business, Microsoft Update Catalog | These update types are applicable to all Visual Studio editions and are designed to deliver fixes to security vulnerabilities. |
| Feature updates | Windows Server Update Services (manual import), Microsoft Update Catalog | These update types are only applicable to Visual Studio editions that are commonly found in enterprises and bring the software to a more recent minor version. Also, these updates are cumulative and contain additional quality and prior security fixes. |
| Quality updates | Windows Server Update Services (manual import), Microsoft Update Catalog | These update types are only applicable to Visual Studio editions that are commonly found in enterprises and are designed to deliver performance and reliability fixes. Also, these updates are cumulative and contain prior released security fixes. |
Note: At this moment, only security updates are available via Windows Update for Business.
Configuring Visual Studio updates
When being familiar with the administrator updates for Visual Studio, it’s time to have a look at the configuration options for Visual Studio. Those configurations are now available by using the Settings Catalog profile in Microsoft Intune. The Settings Catalog now by default contains the settings that are available via the VisualStudio.admx. That means that those settings are ADMX-backed and directly available for use. It’s just good to keep in mind that not everything can be easily managed. Some configuration options are still only available via registry keys. Configuring the update channel, for example, can not be achieved by using the currently available settings. Using Windows Updates for Business as the distribution channel, however, can be achieved by using the available settings. The following eight steps walk through the creation of a Settings Catalog profile that contains the required setting to configure the update channel and something extra.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create profile
- On the Create a profile blade, provide the following information and click Create
- Platform: Select Windows 10 and later to create a profile for Windows 10 and Windows 11 devices
- Profile: Select Settings catalog to select the required setting from the catalog
- On the Basics page, provide the following information and click Next
- Name: Provide a name for the profile to distinguish it from other similar profiles
- Description: (Optional) Provide a description for the profile to further differentiate profiles
- Platform: (Greyed out) Windows 10 and later
- On the Configuration settings page, as shown below in Figure 1, perform the following actions
- Click Add settings and perform the following in Settings picker
- Select Administrative Templates as category
- Select Visual Studio > Install and Update settings as subcategory
- Select Enable administrator updates as setting
- Switch the slider with Enable administrator updates to Enable, select WSUS/SCCM and Microsoft Update/Intune with Microsoft Update Channel and click Next
Note: Allow MU Update Service must also be configured to receive Visual Studio administrator updates through Windows Update for Business. That’s just not a specific setting for Visual Studio and is probably already configured.
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment and click Next
- On the Review + create page, verify the configuration and click Create
Note: Keep mind that not everything can be configured via the available settings. For an overview of all the available configuration options, refer to the described registry keys here.
Experiencing managed Visual Studio updates
After looking at managing updates for Visual Studio, it’s good to have a look at the experience with the administrator updates for Visual Studio. It can just be challenging to view the configured behavior. That’s why the configuration above added an additional setting to remove out-of-support components. That configuration is clearly shown, when looking at the Update Settings. Besides that, the registry location HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\VisualStudio\Setup contains all the applied settings via Microsoft Intune.
More information
For more information about managing updates for Visual Studio, refer to the following docs.
- Applying administrator updates to Visual Studio with Microsoft Configuration Manager | Microsoft Learn
- Enabling administrator updates to Visual Studio with Microsoft Configuration Manager | Microsoft Learn
- Configure policies for enterprise deployments – Visual Studio (Windows) | Microsoft Learn
- Update Visual Studio | Microsoft Learn
Thank you for the post. Do you know if this also applies to Visual Studio Code?
Hi John,
No, this is not applicable to Visual Studio Code.
Regards, Peter
I deployed this a week ago to 112 devices. Yet, only 10 show installed. All others show pending. Is there something further I need to do here that perhaps isn’t mentioned and/or is assumed already setup?
Hi Alex,
Not really. The ADMX-files will be ingested by Intune. It is important to keep in mind that this is Visual Studio only. Not Visual Studio Code.
Regards, Peter