Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Intune Windows Update Rings: Complete Configuration Guide

Learn how to configure and deploy Windows Update rings in Intune to manage Windows 10 and Windows 11 updates, including quality updates, feature updates, and update deployment strategies.

By Ali Alame
intunewindows-updateupdate-ringswindows-10windows-11patch-managementdeployment

Windows Update rings in Microsoft Intune allow you to control how and when Windows 10 and Windows 11 devices receive updates. Update rings provide a flexible way to manage update deployment, balancing security needs with business requirements and user experience.

Understanding Windows Update Rings

Windows Update rings are collections of settings that configure when devices running Windows receive and install updates. Update rings help you manage the pace of update deployment, control restart behavior, and ensure devices stay current with security and feature updates.

Key Benefits

  • Controlled Deployment: Manage when updates are installed
  • Deployment Rings: Create rings for phased rollout
  • User Experience: Control restart notifications and timing
  • Security: Ensure devices receive security updates promptly
  • Flexibility: Configure different rings for different device groups

For an overview, see Windows Update rings policy in Intune.

Creating Windows Update Rings

Step 1: Access Update Rings

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Devices > By platform > Windows > Manage updates > Windows 10 and later updates > Update rings tab
  3. Select Create profile

Step 2: Configure Basics

  1. Name: Enter descriptive name (e.g., "Windows Update Ring - Pilot")
  2. Description: Optional description
  3. Select Next

Step 3: Configure Update Ring Settings

Configure update and user experience settings:

Update Settings

  1. Servicing channel:

    • Semi-annual channel (recommended)
    • General Availability channel

  2. Microsoft product updates: Allow/Block

  3. Windows drivers: Allow/Block

  4. Quality update deferral period (days): 0-30 days

    • 0 days: Install immediately (recommended for security)

  5. Feature update deferral period (days): 0-365 days

    • 0 days: Install immediately
    • Higher values delay feature updates

  6. Set feature update uninstall period: 2-60 days

    • Time window to uninstall feature updates

User Experience Settings

  1. Automatic update behavior:

    • Reset to default
    • Notify before download
    • Auto install at maintenance time
    • Auto install and reboot without end-user control

  2. Restart checks: Allow/Block

  3. Option to pause Windows updates: Enable/Disable

  4. Option to check for Windows updates: Enable/Disable

  5. Require user approval to dismiss restart notification: Yes/No

  6. Remind user prior to required auto-restart: Configure hours/minutes

  7. Change notification update level:

    • Use default Windows Update notifications
    • Turn off all notifications (not recommended)

Deadline Settings

  1. Use deadline settings: Allow/Block

  2. Deadline for feature updates: Days (e.g., 7)

  3. Deadline for quality updates: Days (e.g., 2)

  4. Grace period: Days (e.g., 2)

  5. Auto reboot before deadline: Yes/No

For detailed settings, see Windows update settings.

Step 4: Assign Scope Tags (Optional)

  1. Select + Select scope tags
  2. Choose scope tags
  3. Select Next

Step 5: Assign to Groups

  1. Select + Select groups to include
  2. Choose device groups (recommended)
  3. Optionally exclude specific groups
  4. Select Next

Best Practice: Deploy update rings to device groups rather than user groups for more predictable behavior.

Step 6: Review and Create

  1. Review all settings
  2. Select Create

For step-by-step guidance, see Windows Update rings policy in Intune.

Recommended Update Ring Configuration

Ring 1: Pilot (1-5% of devices)

Settings:

  • Quality update deferral: 0 days
  • Feature update deferral: 0 days
  • Automatic update behavior: Auto install and reboot without end-user control
  • Deadline for quality updates: 2 days
  • Deadline for feature updates: 7 days
  • Grace period: 2 days

Purpose: Test updates before broad deployment.

Ring 2: Early Adopters (5-15% of devices)

Settings:

  • Quality update deferral: 0-2 days
  • Feature update deferral: 0-7 days
  • Automatic update behavior: Auto install at maintenance time
  • Deadline for quality updates: 2 days
  • Deadline for feature updates: 7 days

Purpose: Validate updates after pilot testing.

Ring 3: Broad Deployment (80-95% of devices)

Settings:

  • Quality update deferral: 2-3 days
  • Feature update deferral: 7-14 days
  • Automatic update behavior: Auto install at maintenance time
  • Deadline for quality updates: 3-5 days
  • Deadline for feature updates: 14-21 days

Purpose: Standard deployment for most devices.

Ring 4: Critical Systems (<1% of devices)

Settings:

  • Quality update deferral: 5-7 days
  • Feature update deferral: 30-60 days
  • Automatic update behavior: Notify before download
  • Extended grace periods

Purpose: Protect critical systems with extended testing.

For guidance, see Windows in cloud configuration step by step setup guide.

Monitoring Update Deployment

Update Reports

Monitor update deployment:

  1. Go to Devices > By platform > Windows > Manage updates > Windows 10 and later updates
  2. Review update ring status
  3. Check device update compliance

Available Reports

  • Update ring status: Overall deployment status
  • Device update status: Per-device update status
  • Update failures: Devices with update issues
  • Compliance reports: Update compliance tracking

For details, see Windows Update reports for Microsoft Intune.

Best Practices

1. Use Deployment Rings

  • Create multiple rings for phased rollout
  • Start with small pilot group
  • Expand gradually
  • Monitor each ring before moving to next

2. Balance Security and Stability

  • Deploy security updates quickly (0-2 days deferral)
  • Defer feature updates longer (7-30 days)
  • Test feature updates in pilot first
  • Adjust based on organizational needs

3. Configure Appropriate Deadlines

  • Set deadlines for quality updates (2-5 days)
  • Set deadlines for feature updates (7-21 days)
  • Use grace periods to prevent disruption
  • Enable auto-reboot before deadline

4. Consider User Experience

  • Configure restart notifications
  • Allow users to schedule restarts
  • Use maintenance windows when possible
  • Provide clear communication

5. Monitor Regularly

  • Review update compliance weekly
  • Address update failures promptly
  • Track update deployment progress
  • Adjust rings based on results

Troubleshooting

Common Issues

  1. Updates Not Installing

    • Verify update ring assignment
    • Check device check-in status
    • Review update ring settings
    • Check for policy conflicts

  2. Unexpected Restarts

    • Review restart settings
    • Check deadline configurations
    • Verify grace period settings
    • Adjust user experience settings

  3. Policy Conflicts

    • Review all assigned policies
    • Check for Group Policy conflicts
    • Understand conflict resolution
    • Resolve conflicts appropriately

For troubleshooting guidance, see Troubleshoot Update rings for Windows 10 and Windows 11 in Microsoft Intune.

Additional Resources

Conclusion

Windows Update rings provide essential capabilities for managing Windows updates in your organization. By following these best practices:

✅ Use deployment rings for phased rollout
✅ Balance security and stability
✅ Configure appropriate deadlines
✅ Consider user experience
✅ Monitor update deployment regularly

You can ensure devices stay current with security updates while maintaining control over feature update deployment and minimizing user disruption.

Remember: Update rings are a critical component of device security. Deploy security updates quickly while using deferral periods and testing for feature updates to maintain stability.