Visual Studio Update and Management Configuration Profile in Intune

This is the solution that I have come up with that works in my environment. I cannot speak to how this may work in other environments.

Before we begin with what I have done I am going to explain my scenario. We have a lot of in-house developers as well as contracted developers who do not have admin accounts either on the domain side or on their local machines. When updates come to the Visual Studio installer to update Visual Studios it requires the developer to enter in admin rights. However, with the configuration profile that I am about to set up, updates in the Visual Studio Installer removes the requirement for admin rights and allows them to rollback updates. There are additional policies that can be applied as well that I will touch on too.

*Sidenote: This policy, from what I know, will work for Visual Studio Professional 2017-Current

In the Intune Management Portal, navigate to Devices > Configuration. Under Policies click Create > New Policy > Platform = Windows 10 and later > Profile type = Settings Catalog. You can name and give it a description to however you’d like it. Next under Configuration Setting you will want to search for the correct Setting. Search for Visual Studio and select “Visual Studio Install and Update Settings” and then select the top current option “Allow standard users to execute installer operations”. Setting this to Enabled simply allows the end user the ability to run Visual Studio updates in the Visual Studio Installer app without having to enter admin rights. This also allows the user to rollback the most recent update without admin rights too. Below is the Policy Setting description.

“Allows users without administrator permissions to manage their Visual Studio installations. If set to 0 (disabled) or missing entirely, the installer will prompt for administrator permissions using UAC. If set to 1 (enabled for Update and Rollback), users without administrator permissions can update or rollback without UAC. All other operations will ask for administrator permissions through UAC. If set to 2 (enabled for all installer operations), users without administrator permissions can fully manage Visual Studio through the Visual Studio Installer without UAC. For more information, see http://aka.ms/vs/setup/policies.”

There are further policies that I have configured for Visual Studio. The two additional policies that I have applied are “Enable administrator updates” and “Allow MU Update Service”.

*You can find the “Allow MU Update Service” policy by searching for it directly or by searching for Windows Update for Business.

The first policy “Enable administrator updates” is set to Enabled and the Microsoft Update Channel is set to WSUS/SCCM and Microsoft Updates/Intune. What this does is push Administrator updates of Visual Studios to the machine via either WSUS/SCCM and or Microsoft Update Channels from Intune, if you have either of those setup. In my environment’s case we have both currently setup. WSUS/SCCM is used for updates to Windows 10 machines only while we have Microsoft Update Rings setup in Intune to hit both Windows 10 and Windows 11 devices. This policy also requires the “AllowMUUpdateSettingService” policy to be enabled as well. Below is this Policies description.

“Allows administrator updates to be visible to and applied to the client computer. If set to 1 (enabled for WSUS/SCCM), then administrator updates delivered through WSUS and SCCM will be available to Active Direcotry (AD) joined client machines. If set to 2 (enabled for WSUS/SCCM and Microsoft Updates/Intune), then administrator updates delivered through either WSUS/SCCM or Microsoft Updates/Intune will be available to either Active Directory (AD) or Azure Active Directory (Azure AD) joined machines that are enrolled in Windows Update for Business (WUfB). Note that the WUfB AllowMUUpdateServicePolicy must be turned on too. If set to 0 (disabled) or missing entirely, then administrator updates will not be available to the machine. For more information, see http://aka.ms/vs/setup/policies.”

The second policy I mentioned “Allow MU Update Service” is a requirement for the first additional policy, “Enable administrator updates”. This policy I have set to “Allowed. Accepts updates received through Microsoft Updates”. This allows the machine to scan and receive application updates, ie. Visual Studios, from Microsoft Updates. Below is the description of the policy.

“Allows the IT admin to manage whether to scan for app updates from Microsoft Update.”