Plan and Manage Windows Updates
Update rings, feature update policies, and quality update policies give you granular control over how and when Windows devices receive updates. No more surprise reboots.
Windows update management in Intune
Think of update rings like traffic lights on an on-ramp to the motorway.
Instead of letting all 500 cars (devices) merge at once and causing a pile-up, you let a few through at a time. First the IT team (green light), then finance (green after 7 days), then everyone else (green after 14 days). If the IT team’s cars crash (update causes issues), you turn the light red for everyone else before they merge.
That’s what update rings do — they stagger when devices receive updates, giving you time to spot problems before they hit your entire fleet.
Update rings
What update rings control
| Setting | What It Does | Sam’s Config |
|---|---|---|
| Quality update deferral | Delay quality (security) updates by X days | 7 days for most users |
| Feature update deferral | Delay feature (version) updates by X days | 14 days for most users |
| Quality update pause | Temporarily halt quality updates for up to 35 days | Not paused (only for emergencies) |
| Feature update pause | Temporarily halt feature updates for up to 35 days | Not paused |
| Automatic update behaviour | Auto download, schedule install, or notify user | Auto install at scheduled time |
| Active hours | Hours when the device shouldn’t restart | 8 AM – 6 PM |
| Restart grace period | Days before forced restart after update install | 2 days |
| Deadline for quality updates | Maximum days before forced install | 5 days |
| Deadline for feature updates | Maximum days before forced install | 14 days |
Sam’s ring strategy at Tui Solutions
| Ring | Target | Deferral (Quality) | Deferral (Feature) | Purpose |
|---|---|---|---|---|
| Ring 0 — IT Preview | IT team (15 devices) | 0 days | 0 days | First to receive updates — spot issues early |
| Ring 1 — Early Adopters | Volunteers (50 devices) | 3 days | 7 days | Broader testing with motivated users |
| Ring 2 — Broad Deployment | All remaining (435 devices) | 7 days | 14 days | Production rollout after validation |
Feature update policies
Feature update policies target a specific Windows version, different from update rings which defer updates by days.
| Setting | What It Does |
|---|---|
| Target version | The Windows version devices should run (e.g., Windows 11, version 24H2) |
| Rollout options | Make available immediately or set start date |
| Deadline | Days after availability before forced install |
When to use feature updates vs update rings
| Feature | Update Rings | Feature Update Policies |
|---|---|---|
| Controls | Timing of ALL updates (quality + feature) | Specific Windows VERSION to target |
| Best for | Ongoing update management | Upgrading to a specific Windows 11 version |
| Can block a version | No — only defer | Yes — pin to a version, blocking newer ones |
| Works with | Quality updates, feature updates, drivers | Feature updates only |
| Example | Defer feature updates 14 days for all users | Upgrade all devices to Windows 11 24H2 by March 1st |
Quality update policies (expedited updates)
When a critical security patch drops and you can’t wait for normal deferral windows:
- Intune admin center → Devices → Manage updates → Quality updates
- Select the update to expedite
- Assign to device groups
- Devices install the update within 24-48 hours, bypassing deferral settings
Chen Wei uses expedited updates for zero-day patches at Meridian Bank — banking regulators require critical patches within 48 hours.
Exam tip: update rings vs feature updates vs quality updates
The exam expects you to know all three:
- Update rings = ongoing management of update TIMING (deferral days, restart behaviour, active hours)
- Feature update policies = target a specific Windows VERSION (upgrade to 24H2)
- Quality update policies = EXPEDITE critical patches (bypass deferral for urgent fixes)
Scenario mapping:
- “Stagger updates across departments” → Update rings
- “Upgrade all devices to Windows 11 24H2” → Feature update policy
- “Install this zero-day patch on all devices within 48 hours” → Quality update policy (expedited)
iOS/iPadOS and macOS update policies
iOS/iPadOS updates
Intune can manage iOS/iPadOS updates for supervised devices:
| Setting | What It Does |
|---|---|
| Software update policy | Schedule when updates install (e.g., outside business hours) |
| Defer updates | Delay visibility of updates for up to 90 days |
| Force update | Require a specific iOS version by a deadline |
macOS updates
| Setting | What It Does |
|---|---|
| Software update policy | Configure when macOS checks for and installs updates |
| Defer updates | Delay software updates for up to 90 days |
| Force update by deadline | Require a specific macOS version |
Deep dive: iOS update management requires supervised
Full iOS update management (deferral, forcing specific versions) requires supervised devices (enrolled via ADE). Unsupervised devices:
- Can receive update notifications
- Cannot be forced to defer or install specific versions
- Users control when they update
Riko at Pixel & Co can only fully manage updates on corporate iPads (supervised via ADE). Designers’ personal iPhones (unsupervised) update on their own schedule.
Windows Autopatch
Windows Autopatch is a managed service that automates Windows quality and feature updates, Microsoft 365 Apps updates, Microsoft Edge updates, and Teams updates. Instead of manually creating update rings and monitoring rollouts, Autopatch handles the entire process.
How Autopatch works
- Enroll your tenant in Windows Autopatch (Intune admin center → Tenant administration → Windows Autopatch)
- Devices are automatically sorted into deployment rings (Test, First, Fast, Broad) based on analytics data
- Quality updates roll out automatically: Test ring first, then progressively to Broad over ~21 days
- Feature updates are deployed with the same staged approach
- Autopatch monitors for issues — if devices in early rings show problems (crashes, rollbacks), later rings are paused automatically
Autopatch vs manual update rings
| Feature | Manual Update Rings | Windows Autopatch |
|---|---|---|
| Ring creation | Admin creates and targets manually | Automatic — devices sorted by Autopatch |
| Monitoring | Admin reviews reports manually | Automated — Autopatch detects issues and pauses |
| Issue response | Admin must pause rings manually | Autopatch auto-pauses later rings if early rings fail |
| Scope | Windows quality and feature updates only | Windows + M365 Apps + Edge + Teams updates |
| Effort | Medium — ongoing manual management | Low — set up once, Autopatch handles the rest |
| Flexibility | Full control over every setting | Less granular — trades control for automation |
When to use which
- Use Autopatch when you want hands-off update management with automated monitoring and rollback. Best for organisations without a dedicated patching team.
- Use manual update rings when you need precise control over timing, specific deferral days, or custom ring definitions that don’t match Autopatch’s model.
- You can use both — Autopatch for most devices, manual rings for exceptions (kiosks, specialised hardware).
Exam tip: Autopatch licensing and requirements
Windows Autopatch requires:
- Windows 10/11 Enterprise E3 or E5 (or equivalent licensing)
- Microsoft Entra ID P1 (for dynamic groups)
- Microsoft Intune (devices must be Intune-managed)
The exam may test: “What’s the benefit of Autopatch over manual update rings?” Key answer: automated ring progression with automatic pause on failure detection. Autopatch reduces admin effort while maintaining staged deployment safety.
🎬 Video walkthrough
🎬 Video coming soon
Plan and Manage Windows Updates — MD-102 Module 26
Plan and Manage Windows Updates — MD-102 Module 26
~12 minFlashcards
Knowledge Check
Sam wants the IT team to receive Windows updates immediately while the rest of Tui Solutions gets updates 7 days later. What should Sam configure?
A critical zero-day vulnerability is announced on Tuesday. Chen Wei needs all 10,000 Meridian Bank devices patched within 48 hours — but the current update ring has a 7-day deferral. What should Chen Wei do?
Next up: Cross-Platform Updates & Delivery Optimization — managing Android, iOS, and macOS updates, plus configuring Delivery Optimization for bandwidth management.