Keeping your organization windows version up to date is highly recommended because of the constant risks and vulnerabilities being discovered every day. Running the newest version of Windows will decrease the likely hood of your devices being exposed to known exploits and you will receive the benefits of having the newest features and fixes applied to your systems.
Before we start configuring the basics, we need to look at the prerequisites. Microsoft has a great article explaining the requirements.
Configure Update rings for Windows 10 and later policy in Intune | Microsoft Docs
Let’s start by configuring & enabling Telemetry on all devices.
Step 1: Enable Telemetry.
Open the Endpoint Manager interface and navigate to “Devices | Configuration Profiles“
Devices – Microsoft Endpoint Manager admin center
We want to create a new profile for windows 10 devices and choose the templates for devices restrictions
Give your policy a name and a brief description and click “next”.
Scroll down on the page and expand the “Reporting and Telemetry” section and set the “Share usage data” to “Required“
On the assignment page, I recommend selecting all devices and creating a “Filter” to target only corporate devices.
How to use filters: Create filters in Microsoft Intune | Microsoft Docs
Step 2: Create and assign “Windows Update Ring” policy.
In the “Devices” overview, choose “Update rings for Windows 10 and later” and click on “Create Profile“
Give your new policy a name and description.
Name: Default Update ring for windows devices.
Description: This policy will automatically download / install newest security patches and prepare for feature updates.
Below is a complete screenshot of my “Update Ring” recommendations.
Quality updates will install 25 days after being released (To prevent zero-day issues)
Feature updates will install 100 days after being released. (These are the big updates)
Windows 11 upgrade is disabled (This should be a completely separate roll-out)
After applying the policy computers will automatically start downloading the updates outside working hours and notify the users that a restart is required within 14 days for feature updates and 7 days for quality updates.
If the users do not restart within the deadline period, the computer will forcefully restart 3 days after the deadline.
If you have any questions / feedback or would like to correct me on any of the stuff above, please use the comment section or contact me directly using the blue button in the bottom right corner.