Monitor Windows Update rings and feature update deployments
Managing Windows updates across your organization requires controlling two distinct aspects: which Windows version your devices should run and how those updates install. These aren't decisions you make in isolation. Instead, Update rings and feature update policies work together to give you precise control over your deployment strategy.
Update rings handle the mechanics of installation—timing, restart behavior, user notifications, and deferral periods. Feature update policies control which Windows versions are available to which devices. By combining these two policy types, you create a deployment system that's both strategic and manageable.
Windows update policy types
Microsoft Intune includes multiple policy types for Windows update management. Each policy type targets a different part of the update lifecycle:
- Windows Update client policy: Configures underlying Windows Update policy CSP settings. Intune surfaces these settings through update rings and Settings catalog.
- Update ring policy: Controls the installation experience (deferrals, deadlines, restarts, and user experience) for updates that are available to a device.
- Feature update policy: Controls which Windows version (for example, a specific Windows 11 release) is offered to devices.
- Quality update policy: Targets monthly quality updates and supports expedite (override deferrals to push critical updates quickly) and hotpatch for eligible devices (apply qualifying security updates without an immediate restart). Hotpatch updates are monthly B release security updates that take effect without requiring a restart and require Windows Autopatch to create and deploy the hotpatches.
- Driver update policy: Reviews, approves, and deploys hardware driver updates from Windows Update, using manual or automatic approval workflows.
How update rings control the installation experience
Update rings define the client-side behavior for Windows updates. They decide how and when any update that's available gets installed on a device.
When you create an update ring, you're configuring two categories of settings. The Update settings control what gets downloaded. For example, whether devices receive quality updates, feature updates, Microsoft product updates, and Windows drivers. The User experience settings control how updates appear to end users, including automatic update behavior (notification only, auto-install at maintenance, auto-install at a scheduled time), active hours (when restarts won't occur), deadline enforcement, and pause permissions.
For example, you might create a "Production" update ring that sets a 30-day feature update deferral, configures the device to auto-restart outside active hours at 2 AM, and allows users to pause updates for 7 days. This ensures devices in your production environment receive updates later than your pilot groups while giving users some flexibility.
Update rings are broadly applied to device groups, and they're structured to support deployment stages. You might create separate rings for test devices, pilot devices, and production devices. Each with different deferral periods and restart behaviors. This staging approach helps you catch issues early before they affect your broader user base.
How feature update policies control version availability
Feature update policies take a different approach. They specify which Windows version is offered to a device. While update rings say "when and how to update," feature policies say "update to this specific Windows version."
A feature update policy targets a single Windows version and defines whether that update is required or optional for assigned devices. If you create a policy targeting Windows 11 22H2 as required, devices receiving that policy will be offered the update and expected to install it automatically within your configured deferral and deadline settings. If you mark it as optional, devices see the update in Windows Update settings but must choose to install it themselves.
Multiple feature policies can apply to the same device. When this happens, Windows Update evaluates all applicable policies and offers only the latest applicable version. This behavior is deliberate: it prevents confusion by ensuring devices aren't offered conflicting updates.
Feature policies also don't downgrade devices. If a device is already running a newer Windows version than what a policy targets, the policy doesn't apply. This prevents administrators from accidentally reverting devices to older versions.
Using both policy types together
The relationship between update rings and feature policies is complementary. Think of feature policies as "what to deploy" and update rings as "how to deploy it."
A typical strategy looks like this: You create a feature update policy targeting Windows 11 22H2 and assign it to all devices. This gives every device the information that 22H2 is available. Then, you create different update rings with varying deferral periods and assign them to different device groups. The first ring applies to test devices and has zero deferral, so they get the update immediately. The second ring applies to pilot devices and defers for 10 days, allowing you to validate the update in controlled conditions. The third ring applies to production devices and defers for 30 days, giving you time to resolve any issues discovered in earlier rings.
The update ring settings govern whether the installation happens quietly in the background or prompts the user, whether it respects active hours, and whether it enforces a deadline. The feature policy ensures the right version is available to each group at the right time. Together, they create a controlled, phased rollout.
Create update rings
Follow these steps to create update rings:
- In the Microsoft Intune admin center, select Devices > By platform > Windows > Manage updates > Windows updates
- Select the Update rings tab > Create profile.
- Enter a name and a description, then select Next.
- On Update ring settings, configure the options that match your organization´s update rollout strategy.
- On Scope tags (optional), select + Select scope tags, choose one or more tags, and select Next. Then, on Assignments, assign the update ring accordingly.
- Finish the configuration on the Review + create page and select Create.
Configure feature update policies
Follow these steps to create a feature update policy:
- In the Microsoft Intune admin center, select Devices > By platform > Windows > Manage updates > Windows Updates
- Select the Feature updates tab > Create profile.
- In the Deployment settings:
- Enter a Name and Description.
- In Feature update to deploy, select the Windows release you want to deploy.
- Choose how the update is offered:
- Make available to users as a required update: the device will automatically install the update based on device settings.
- Make available to users as an optional update: becomes available as optional for the user to install, while rollout settings still control when it’s offered. This option requires Windows Autopatch licensing
Monitoring compliance and deployment progress
Once you've deployed both update rings and feature policies, you need visibility into what's happening on your devices.
Update ring reports show device check-in status with a high-level view of devices reporting success, in-progress, error, or conflict states. You can drill into individual devices to see which specific settings are succeeding or failing. If you see errors, the Per setting status report helps you identify which setting is causing the issue.
Feature update policy reports provide more granular detail about the update lifecycle. They show device states like Pending (waiting to be offered), Offering (update available), Downloading, Installing, Restart Required, and Installed. Each state helps you understand where devices are in the update process. If a device gets stuck in a particular state, you can investigate whether it's a policy configuration issue, a device-side problem, or a network connectivity issue.
You can view each report by selecting the respective policy or update ring.