Azure AD Joined Windows 10 devices with Intune Enrollment can have Intunes Software Update manage Windows Update, and perhaps the device image from your vendor is 1709 and you need Intune to upgrade devices to 1803 in order to become compliant.
A very easy task to configure in Intune, but we have been struggling for a long time with numerous interactions with the Intune team. Shipping alot of device logs and even uploaded the VHDX we have been testing. Same issue with physical clients.
Finally Microsoft found the issue, and it is because Azure AD Joined devices that are enrolled in Intune, for some unknown reason, will have the Sign-In Assistant service deactived. I don’t know, yet, why this is required, because minor updates to current image are installed and one could at least use Windows Update with local accounts before.
We can see the Windows Update settings become greyed out, because they are managed by Intune. Meaning the Software Update configuration are managing the devices, but we continue to receive this error when the device is trying to run Windows Update:
I am sorry for the norwegian OS language, but it translates into: The device is exposed because there is outdated and missing important security- and quality updates. Let us update you so Windows can run securely. Choose this button to get going.