Configuring Windows 10 Update Rings in Intune/MEM

In this article i will explain how to configure Windows 10 Update Rings in Intune/Microsoft Endpoint Manager.

With the latest Patch Tuesday update causing serious BSOD issues when trying to print to certain printers, you’re probably wondering how you can set an update schedule for Azure AD Joined Devices, to avoid rouge updates like KB5000802 being deployed to your clients.

If this has happened to you, check out my other post on how to remove Windows Updates via Powershell Script

Head over to Microsoft Endpoint Manager, Devices >Windows 10 Update Rings and  +Create Profile

Fill in the basic description of your update ring. It is good practice to have a ‘Testing’ ring, and a ‘Production’ ring, with the former being deployed to around 10% of your organisation first, if any issues arise form windows updates, you can nip that in the bud before deploying to your full organisation.

In this example I’ll create my general or ‘Production’ ring.

Under ‘Update Ring Settings‘ this is where you will configure your update schedule.

The update settings you choose should be based on your requirements however the settings i have chosen are below

Update Settings

Servicing Channel = Semi-Annual Channel (SAC)

The SAC includes updates that have been released for general availability by Microsoft, this means they have been tested before general release (though this doesn’t mean they wont be issues, as found with the BSOD printing issue)

Other options include Windows Insider Fast & Windows Insider Slow, which are going to be rebranded as Dev & Beta respectively.   These are generally used for testing purposes by the IT team, to analyse new features and updates before pushing them out ‘Into the wild’.

Microsoft Product Updates = Allow

Windows Drivers = Allow

Quality update deferral period (days) = 4 

Feature update deferral period (days) =  30

Set Feature update uninstall period = 10 – This allows you to roll back feature updates e.g from 20H2 back to 2004 by keeping the windows.old folder, after this time the folder will be deleted and you wont be able to revert back (as easily)

User Experience Settings

Here is where you can configure how the user interacts with your update schedule, i have set the following options but again, you should choose what suits your needs.

They should be pretty self explanatory, however the ‘Restart Checks’ setting, will ensure the device has enough battery and is not in presentation mode before restarting.

Apply the update ring to your required device group.

Liam Robinson

#EdTech Network Manager, experienced in Microsoft 365, Server 2019, Intune, SCCM and anything inbetween.