|

Configure Windows Update Rings and Feature Updates in Intune

ByTechieGeek

Before you enroll your first Windows device, get your update policies in place. Devices coming straight from a warehouse could be months behind on patches โ€” update rings make sure they’re kept current from day one.

This post covers building update rings manually, configuring feature update policies, and automating both with PowerShell and Microsoft Graph.

Why Update Rings Matter

With fully managed devices, you don’t want updates installing randomly. You need control over when updates arrive, which updates are applied, and you definitely don’t want users opting into Insider builds on their own.

Windows Autopatch handles a lot of this automatically (covered separately), but there are still cases where you’ll want to build your own rings โ€” more on that below.

Before You Start โ€” Create Your Entra ID Groups

Head to the Entra ID portal and create four static groups before touching Intune:

  • Preview ring โ€” IT staff, early testers
  • Pilot ring โ€” broader IT + select non-IT staff
  • VIP ring โ€” executives and mission-critical devices
  • Broad ring โ€” everyone else (use a dynamic group to reduce admin overhead)

One important note: make sure your preview and pilot groups contain devices, not just users. IT staff often log into other machines for repairs โ€” you don’t want a broad ring device accidentally getting a pre-release build.

Building Update Rings in Intune

Go to Devices โ†’ Windows โ†’ Windows Updates โ†’ Update Rings โ†’ Create Profile.

Give each ring a clear name and description โ€” you’ll thank yourself later when you have four similar policies sitting side by side.

Key Settings to Configure

  • Microsoft Product Updates โ€” Enable this. It’s what actually turns on Windows Update.
  • Windows Drivers โ€” Allow or block. If you use vendor apps (Dell Command Update, etc.), block here.
  • Quality Update Deferral โ€” Controls how many days after Patch Tuesday updates install.
  • Feature Update Deferral โ€” Set to 0 for all rings. You’ll control this separately with a feature update policy. Any non-zero value here causes Intune to ignore the feature update policy entirely.
  • Upgrade Windows 10 to Windows 11 โ€” Windows 10 support ended October 2025, so enable this unless you have compatibility blockers.
  • Automatic Update Behavior โ€” Set active hours to match your workers (e.g., 7 AMโ€“7 PM for office staff).
  • Use Deadline Settings โ€” Turn this on. It forces a reboot after the grace period so users can’t endlessly postpone updates and leave devices exposed.
  • Pre-release Builds โ€” Only enable for Preview and Pilot rings.
Setting Preview Pilot Broad VIP
Service Channel Beta Release Preview Retail Retail
Quality Deferral 0 days 7 days 10 days 30 days
Feature Deferral 0 0 0 0
Forced Reboot Yes Yes Yes No

For the VIP ring, disable forced reboots and set a maintenance window instead. Someone should be present to make sure the update goes smoothly.

Assigning the Broad Ring

For the broad ring, include Autopilot Devices and then exclude your Preview, Pilot, and VIP groups. This ensures every device that isn’t in a specific ring gets covered automatically.

Building Feature Update Policies

Since all rings have feature deferral set to 0, you need a separate feature update policy โ€” otherwise all devices will jump to a new Windows release on the next Patch Tuesday.

Go to Devices โ†’ Windows โ†’ Windows Updates โ†’ Feature Updates โ†’ + Create โ†’ Create Feature Update Policy.

Set your target version (e.g., Windows 11 25H2). This locks all devices to that version until you manually update the policy. When 26H2 releases, devices stay on 25H2 โ€” you’re in control.

Also enable “Keep Windows 10 devices on latest Windows 10 build” for any hardware that isn’t Windows 11 compatible.

Assign the policy to Autopilot Devices to cover your entire estate. For larger environments, use rollout options with staggered start dates.

Automating with PowerShell and Microsoft Graph

If you’re managing multiple rings, doing this manually gets repetitive fast. Here’s how to automate both the update rings and feature updates.

Set Up Variables

powershell$pilotgroupid   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$previewgroupid = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$broadgroupid   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$vipgroupid     = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

$url = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations"

Create the Broad Ring Policy

powershell$broadjson = @"
{
  "@odata.type": "#microsoft.graph.windowsUpdateForBusinessConfiguration",
  "allowWindows11Upgrade": true,
  "automaticUpdateMode": "autoInstallAtMaintenanceTime",
  "displayName": "Windows Updates - Broad Ring",
  "driversExcluded": false,
  "featureUpdatesDeferralPeriodInDays": 0,
  "qualityUpdatesDeferralPeriodInDays": 10,
  "deadlineForQualityUpdatesInDays": 5,
  "deadlineForFeatureUpdatesInDays": 5,
  "deadlineGracePeriodInDays": 3,
  "microsoftUpdateServiceAllowed": true,
  "installationSchedule": {
    "@odata.type": "#microsoft.graph.windowsUpdateActiveHoursInstall",
    "activeHoursStart": "08:00:00.0000000",
    "activeHoursEnd": "17:00:00.0000000"
  },
  "userPauseAccess": "enabled",
  "userWindowsUpdateScanAccess": "enabled"
}
"@

$broadpolicy   = Invoke-MgGraphRequest -Uri $url -Method Post -Body $broadjson -ContentType "application/json" -OutputType PSObject
$broadpolicyid = $broadpolicy.id

Assign with Include + Exclude Groups

powershell$broadassignurl = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/$broadpolicyid/assign"

$broadjsonassign = @"
{
  "assignments": [
    { "target": { "@odata.type": "#microsoft.graph.groupAssignmentTarget", "groupId": "$broadgroupid" }},
    { "target": { "@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget", "groupId": "$pilotgroupid" }},
    { "target": { "@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget", "groupId": "$previewgroupid" }},
    { "target": { "@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget", "groupId": "$vipgroupid" }}
  ]
}
"@

Invoke-MgGraphRequest -Method POST -Uri $broadassignurl -Body $broadjsonassign -ContentType "application/json"

Key difference between target types:

  • #microsoft.graph.groupAssignmentTarget = included
  • #microsoft.graph.exclusionGroupAssignmentTarget = excluded

Automate Feature Updates

Instead of hardcoding a version, pull the available options directly from Graph:

powershell$allupdatesurl     = "https://graph.microsoft.com/beta/deviceManagement/windowsUpdateCatalogItems/microsoft.graph.windowsFeatureUpdateCatalogItem"
$availablefeatures = (Invoke-MgGraphRequest -Uri $allupdatesurl -Method GET -OutputType PSObject).value
$latest            = $availablefeatures | Out-GridView -PassThru
$selected          = $latest.version

This opens a grid view so you can pick your target version interactively. Then create and assign the policy:

powershell$createurl  = "https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles"

$createjson = @"
{
  "displayName": "Windows 11 25H2",
  "description": "Fixes machines on Windows 11 25H2",
  "featureUpdateVersion": "$selected",
  "installFeatureUpdatesOptional": false,
  "installLatestWindows10OnWindows11IneligibleDevice": true,
  "rolloutSettings": {
    "offerEndDateTimeInUTC": null,
    "offerIntervalInDays": null,
    "offerStartDateTimeInUTC": null
  }
}
"@

$policy    = Invoke-MgGraphRequest -Method POST -Uri $createurl -Body $createjson -ContentType "application/json" -OutputType PSObject
$policyid  = $policy.id
$assignurl = "https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/$policyid/assign"

$assignjson = @"
{
  "assignments": [
    { "target": { "@odata.type": "#microsoft.graph.groupAssignmentTarget", "groupId": "$groupid" }}
  ]
}
"@

Invoke-MgGraphRequest -Method POST -Uri $assignurl -Body $assignjson -ContentType "application/json" -OutputType PSObject

Expediting Critical Quality Updates

Your update rings will handle routine quality updates without issues. But if you need to rapidly push a critical patch to out-of-date devices, use the Quality Updates option in Intune.

Fair warning โ€” this is for emergencies only:

  • Maximum force window is 2 days
  • Users cannot postpone the reboot
  • Use it only when the risk of not patching outweighs the disruption
update_rings_quizDownload
LinkedInCopyPinterestRedditTelegramChatGPTSMS

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *