Configure Update rings for Windows using Endoint Manager (Intune)

Keeping your organization windows version up to date is highly recommended because of the constant risks and vulnerabilities being discovered every day. Running the newest version of Windows will decrease the likely hood of your devices being exposed to known exploits and you will receive the benefits of having the newest features and fixes applied to your systems.

Before we start configuring the basics, we need to look at the prerequisites. Microsoft has a great article explaining the requirements.
Configure Update rings for Windows 10 and later policy in Intune | Microsoft Docs

Let’s start by configuring & enabling Telemetry on all devices.

Step 1: Enable Telemetry.

Open the Endpoint Manager interface and navigate to “Devices | Configuration Profiles
Devices – Microsoft Endpoint Manager admin center

We want to create a new profile for windows 10 devices and choose the templates for devices restrictions

Give your policy a name and a brief description and click “next”.

Scroll down on the page and expand the “Reporting and Telemetry” section and set the “Share usage data” to “Required

On the assignment page, I recommend selecting all devices and creating a “Filter” to target only corporate devices.
How to use filters: Create filters in Microsoft Intune | Microsoft Docs

Click next, next, and apply the policy.

Step 2: Create and assign “Windows Update Ring” policy.

In the “Devices” overview, choose “Update rings for Windows 10 and later” and click on “Create Profile

Give your new policy a name and description.

Name: Default Update ring for windows devices.
Description: This policy will automatically download / install newest security patches and prepare for feature updates.

Below is a complete screenshot of my “Update Ring” recommendations.

Quality updates will install 25 days after being released (To prevent zero-day issues)
Feature updates will install 100 days after being released. (These are the big updates)
Windows 11 upgrade is disabled (This should be a completely separate roll-out)

After applying the policy computers will automatically start downloading the updates outside working hours and notify the users that a restart is required within 14 days for feature updates and 7 days for quality updates.

If the users do not restart within the deadline period, the computer will forcefully restart 3 days after the deadline.

If you have any questions / feedback or would like to correct me on any of the stuff above, please use the comment section or contact me directly using the blue button in the bottom right corner.


1 thought on “Configure Update rings for Windows using Endoint Manager (Intune)”

  1. This is very good. Thank you for sharing this information.
    If you have to create more than one ring for different scenarios e.g. VIP devices, standard win10 devices and shared win10 devices, what would be the best practice update rings in your opinion?

    Reply

Leave a Comment