Microsoft Intune is a cloud-driven service that allows businesses to onboard, provision, and manage devices, no matter where they are located on the Internet. It covers most tasks that admins have to deal with during a PC's lifecycle management. Patch management is one of these tasks; Microsoft Intune is capable of managing updates.
Latest posts by Brandon Lee (see all)

Administrators are accustomed to managing Windows updates using the Windows Server Update Services (WSUS) server on-premises. However, WSUS has many shortcomings, one of which is connectivity for remote clients, which may now be located anywhere globally with the distributed workforce.

Managing updates with Microsoft Intune provides a cloud-based patch management solution that provides administrators with many configuration settings to meet their individual business needs. Using Microsoft Windows Update for Business, administrators don't need to approve updates individually, as they do with the WSUS server, albeit with arguably less granularity and control provided with the WSUS server.

Intune enables configuration of update settings on devices. On Windows 10 specifically, you configure these settings using Windows 10 update rings in Microsoft Intune. These settings control the updates that are downloaded and when.

Intune supports the following Windows 10 servicing channels:

  • Semi-Annual Channel
  • Semi-Annual Channel (targeted) for 1809 and below
  • Windows Insider – Fast
  • Windows Insider – Slow
  • Windows Insider – Release Preview

Once the policy settings are applied to the Intune-enrolled devices, they do not reach out to a WSUS server somewhere; rather, they contact Windows Update directly. This architecture frees remote clients from the network constraints of the legacy WSUS architecture required for managing Windows Updates.

Configuring a Windows 10 update ring

Navigate to Microsoft Endpoint Manager admin center > Devices. Choose Update rings for Windows 10 and later. Then choose Create profile.

Create a new update ring for Windows 10 in Endpoint Manager devices

Create a new update ring for Windows 10 in Endpoint Manager devices

It launches the Create Update ring for Windows 10 and later wizard. On the Basics screen, choose a name for the new update ring profile.

Choose a name for the update ring profile

Choose a name for the update ring profile

Next, the update ring settings screen is where all the "heavy lifting" happens from an update perspective and where you want to give the most attention to the settings configured for your organization. Here, you configure the following settings:

  • Servicing channel
  • Microsoft product updates
  • Windows drivers
  • Quality update deferral period (days)
  • Feature update deferral period (days)
  • Set feature update uninstall period (2–60 days)
  • Automatic update behavior
    • Active hours start
    • Active hours end
  • Restart checks
  • Option to pause Windows updates
  • Option to check for Windows updates
  • Require user approval to dismiss restart notification
  • Remind user prior to required auto-restart with dismissible reminder (hours)
  • Remind user prior to required auto-restart with permanent reminder (minutes)
    • Change notification update level
  • Use deadline settings
    • Deadline for feature updates
    • Deadline for quality updates
    • Grace period
    • Auto reboot before deadline

Microsoft is continually adding new features and capabilities to the update screen to define the settings that affect the Windows update behavior as configured using Intune.

Configure the update ring settings

Configure the update ring settings

Now you need to assign the profile. Here, you select the groups, users, or devices to which you want to apply the policy. Most organizations will undoubtedly have multiple Windows 10 update ring profiles configured that closely align with what they have today with the WSUS server or another update solution.

Configure the assignments for the Windows update ring policy

Configure the assignments for the Windows update ring policy

Finally, review and create the new update policy.

Review and create the new Windows update ring policy using Microsoft Intune

Review and create the new Windows update ring policy using Microsoft Intune

If all settings are correct, click Create to finish the wizard and create the new update profile.


Patch management with Intune fits into Microsoft's modern client management concept, where cloud-based solutions replace traditional tools like WSUS. The advantage of this approach becomes apparent when users are not just working in the office but on the road or at home. Admins can then ensure that security-critical updates are installed quickly.

Subscribe to 4sysops newsletter!

Update management with Intune essentially configures profiles that determine when a PC receives which update directly from Windows Update.


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account