How To Configure Update rings for Windows using Intune

In today’s blog I will quickly guide you through how to configure update rings for windows using intune.

It is important to keep your organization’s Windows version up to date in order to reduce the risks and vulnerabilities that are constantly being discovered. By running the latest version of Windows, you can decrease the chances of your devices being exposed to known exploits and take advantage of the newest features and fixes. Updating your systems regularly can help ensure their security and improve their performance and functionality.

Before proceeding with configuration, we need to review the prerequisites. Microsoft has a helpful article that outlines the necessary requirements. Once we have ensured that all prerequisites are met, we can move on to setting up the basic configurations.
Configure Update rings for Windows 10 and later policy in Intune | Microsoft Docs

Let’s start by configuring & enabling Telemetry on all devices.

Step 1: Enable Telemetry.

Open the Endpoint Manager interface and navigate to “Devices | Configuration Profiles
Devices – Microsoft Endpoint Manager admin center

We want to create a new profile for windows 10 devices and choose the templates for devices restrictions

Give your policy a name and a brief description and click “next”.

Scroll down on the page and expand the “Reporting and Telemetry” section and set the “Share usage data” to “Required

On the assignment page, I recommend selecting all devices and creating a “Filter” to target only corporate devices.
How to use filters: Create filters in Microsoft Intune | Microsoft Docs

Click next, next, and apply the policy.

Step 2: Create and assign “Windows Update Ring” policy.

In the “Devices” overview, choose “Update rings for Windows 10 and later” and click on “Create Profile

Give your new policy a name and description.

Name: Default Update ring for windows devices.
Description: This policy will automatically download / install newest security patches and prepare for feature updates.

Below is a complete screenshot of my “Update Ring” recommendations.

Quality updates will install 25 days after being released (To prevent zero-day issues)
Feature updates will install 100 days after being released. (These are the big updates)
Windows 11 upgrade is disabled (This should be a completely separate roll-out)

After applying the policy computers will automatically start downloading the updates outside working hours and notify the users that a restart is required within 14 days for feature updates and 7 days for quality updates.

If the users do not restart within the deadline period, the computer will forcefully restart 3 days after the deadline.

If you have any questions / feedback or would like to correct me on any of the stuff above, please use the comment section or contact me directly using the blue button in the bottom right corner.

2 thoughts on “How To Configure Update rings for Windows using Intune”

  1. This is very good. Thank you for sharing this information.
    If you have to create more than one ring for different scenarios e.g. VIP devices, standard win10 devices and shared win10 devices, what would be the best practice update rings in your opinion?

  2. Can you confirm what “Microsoft product updates” mean? Is it updating MS Store apps as well? Is it updating Office 365? Both? Something else? Or is the Allow/Block literally just for blocking ANY updates?


Leave a Comment