Skip to main content

Configuring Windows Update for Business with Deployment Rings

This guide provides a comprehensive procedure for configuring Windows Update for Business (WUfB) to take over the Windows Update process from traditional on-premises solutions like WSUS or Configuration Manager (MECM). By leveraging WUfB with a phased deployment ring strategy, administrators can ensure updates are rolled out in a controlled, predictable, and efficient manner, improving security posture and minimizing user disruption.

TL;DR
  • Adopt Deployment Rings: Implement a phased rollout using First (1%), Fast (9%), and Broad (90%) rings to test updates and mitigate risk.
  • Point to the Cloud: The critical first step is re-configuring devices to scan directly against the Microsoft Update service, overriding any existing MECM or GPO settings that point them to an on-premises WSUS server.
  • Empower Users: Ensure the "Check for updates" button is enabled. While deadlines enforce compliance, allowing users to proactively scan for updates improves flexibility and user satisfaction.
  • Automate with Autopatch: For eligible A3+ environments, Windows Autopatch can fully automate the creation, management, and monitoring of these deployment rings, significantly reducing administrative overhead.

Background and Scope

Windows Update for Business is a cloud-based service that allows IT administrators to manage the distribution of Windows updates directly to their devices. This modern approach eliminates the need for on-premises update infrastructure.

  • For MECM-only environments, updates are managed via a Software Update Point (SUP) and deployed using Software Update Groups and Automatic Deployment Rules (ADRs). This guide is designed to help you transition away from that model.
  • For co-managed and GPO-managed environments, the goal is to shift the source of updates from an internal WSUS/SUP to the cloud (Microsoft Update) and use cloud-native policies (Intune or GPO) to control the rollout.

This document details the standard Texas A&M University configuration for WUfB using a three-ring deployment model, covering Intune policies, GPO equivalents, and the specific steps to make the transition.

Guiding Principles: Shifting from Restriction to Secure Enablement

The traditional IT mindset, born from the complexities of on-premises management, was often to limit or disable new Windows features to maintain stability. The question was frequently, "How do we turn this off?" This approach, while well-intentioned, can lead to a degraded user experience and prevent the organization from realizing the full value of its investment in the Windows ecosystem.

Modern management with WUfB represents a paradigm shift. The goal is no longer to restrict features but to enable them in a rapid and secure manner.

  • Empowerment Over Limitation: Instead of preventing users from accessing new capabilities, the modern approach uses deployment rings to introduce them in a controlled, phased way. This allows the organization to adopt new productivity and security features confidently.
  • Velocity as a Security Strategy: Staying current is one of the most effective security postures. The longer an organization waits to deploy updates or feature releases, the wider the security gap grows. WUfB is designed to deploy updates quickly and safely, leveraging Microsoft's vast telemetry data to automatically pause rollouts to devices with known compatibility issues—a feature on-premises tools lack.
  • Maximize Your Investment: By embracing new features and capabilities, we ensure our customers get the full benefit of their Microsoft 365 A5 licenses. This guide provides the framework to manage this enablement securely, turning IT from a gatekeeper into a strategic enabler of modern work.

Prerequisites

RequirementMin VersionNotes
IdentityMicrosoft Entra IDDevices must be Entra ID joined or Hybrid Joined.
LicensingWindows 11 Enterprise A3+Required for most WUfB features. A3+ is required for Windows Autopatch.
ManagementMicrosoft Intune, MECM, or Group PolicyThis guide covers all three management scenarios.
Network-Devices must be able to reach Microsoft Update endpoints. Required Endpoints List
ADMX TemplatesWindows 11 25H2 or laterRequired for GPO Management. To see the modern WUfB policies, your domain controllers must have up-to-date ADMX templates, preferably in a Central Store. Download latest templates.

Step 1 – Point Devices to the Cloud for Updates

Before you can manage devices with WUfB rings, you must ensure they are no longer getting their update policies or scan source from MECM/WSUS. This is the most critical step.

A. For Co-Managed Devices (MECM + Intune)

The easiest way to transition is by flipping the "Windows Update policies" workload in your co-management settings.

  1. In the MECM Console, navigate to Administration > Cloud Services > Co-management.
  2. Open the Properties of your production co-management policy.
  3. Go to the Workloads tab.
  4. Find the Windows Update policies workload and slide it from Configuration Manager to Pilot Intune (for a test collection) or Intune (for all devices in the collection).
  5. When you move this workload, MECM instructs the client to stop using the SUP for updates and to start listening to Intune policies (CSPs) for update management. This action automatically sets the necessary registry keys on the client to point it to Microsoft Update.
B. For Group Policy (GPO) Managed Environments

For devices managed primarily by Group Policy, the transition involves two phases: first, removing the old, legacy policies that conflict with WUfB, and second, configuring the new policies that point the device to the cloud.

Phase 1: Disable Conflicting and Legacy GPO Settings

These settings must be explicitly disabled to prevent them from overriding modern WUfB policies.

  1. Open the Group Policy Management Console (GPMC) and edit the GPO that manages your Windows Update settings.
  2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update.
  3. Find and configure the following policies:
    • Configure Automatic Updates: Set to Disabled.
      • Rationale: This is a legacy policy that enforces a rigid, fixed installation schedule (e.g., "every Thursday at 6 PM"). It is replaced by the modern WUfB model of flexible deadlines and grace periods, which provides a much better and more compliant user experience. Leaving it enabled can cause unpredictable update behavior.
    • Specify intranet Microsoft update service location: Set to Disabled.
      • Rationale: This is the single most important policy to change. It is what forces devices to look at your internal WSUS/SUP server. Disabling it clears the registry keys (WUServer, WUStatusServer) and tells the client to scan directly against the public Microsoft Update service.

Phase 2: Enable Communication with Cloud Services

  1. Continuing in the same GPO, ensure the following are set correctly:
    • Do not connect to any Windows Update Internet locations: Set to Disabled.
      • Rationale: The name is inverted. Disabling this policy allows the device to connect to Microsoft Update, which is required for WUfB to function.
    • Do not allow update deferral policies to cause scans against Windows Update: Set to Disabled.
      • Rationale: Another confusingly named policy. Disabling it allows WUfB deferral and deadline policies to work as intended and trigger scans against the cloud service.
C. Verification: Confirming the Change

After applying the changes, you must verify that client devices have stopped pointing to the on-premises server.

  1. On a client device, open the Registry Editor (regedit.exe).
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.
  3. Check for old settings: The values WUServer and WUStatusServer should no longer exist. If they are still present, GPO or MECM client settings are still applying them.
  4. Check for new settings: You may see new values like TargetReleaseVersionInfo (from a Feature Update policy) or deferral settings, confirming WUfB policies are in effect.
  5. You can also run the PowerShell command Get-WindowsUpdateLog and inspect the output to see which update server URL the client is scanning against. It should be a public Microsoft URL, not your internal server.

Step 2 – Establish the Deployment Rings

Once devices are correctly pointing to the cloud, you can create the phased deployment rings using either Intune or GPO.

Configuring Rings with Microsoft Intune

Intune Ring 1: Production First (1% of devices)

This ring targets IT administrators, pilot users, and a small, representative sample of devices. Its purpose is to receive updates immediately for rapid testing and validation.

Intune Policy: Create an Update ring for Windows 10 and later profile with the following settings:

SettingValueRationale
Microsoft product updatesAllowEnsures other Microsoft products (like Office) are updated alongside the OS.
Windows driversAllowAllows WUfB to manage driver updates. (We will refine this with a specific driver policy later).
Quality update deferral0 daysDeploys monthly security and quality updates immediately to this group for testing.
Feature update deferral0 daysDeploys new Windows feature versions as soon as they are released to the General Availability channel.
Feature update uninstall period10 daysGives users a limited 10-day window to roll back a feature update if critical issues arise.
Option to check for Windows updatesEnableEmpowers users to manually scan for updates. This allows them to proactively get optional fixes without waiting for a deadline, improving satisfaction and reducing support tickets.
Deadline for feature updates5 daysSets an aggressive deadline to ensure pilot devices install the feature update quickly.
Deadline for quality updates1 dayEnforces rapid installation of security patches on these test devices.
Grace period1 dayGives the user one extra day before forcing a reboot after the deadline is met.
Auto reboot before deadlineNoPrevents forced reboots before the deadline is reached, giving users more control.
Intune Ring 2: Production Fast (9% of devices)

This ring targets a larger group of early adopters and technically savvy users across various departments. Its purpose is to validate updates on a wider range of hardware and software before broad deployment.

Intune Policy: Create a second Update ring profile with these settings:

SettingValueRationale
Quality update deferral3 daysProvides a short 3-day buffer to catch any major issues discovered by the "First" ring before this group is impacted.
Feature update deferral3 daysA similar short deferral for feature updates.
Option to check for Windows updatesEnableProvides a consistent and empowering user experience across all rings.
Deadline for feature updates7 daysA slightly longer deadline (1 week) to give users flexibility.
Deadline for quality updates7 daysA 1-week deadline for monthly patches.
Grace period3 daysA 3-day grace period provides a good balance between compliance and user experience.
Auto reboot before deadlineYesFor this ring, we begin enforcing reboots automatically if the device is outside of active hours to improve compliance speed.
Intune Ring 3: Production Broad (90% of devices)

This ring targets the vast majority of production devices in the organization. Updates are only deployed to this ring after they have been successfully validated in the First and Fast rings.

Intune Policy: Create a final Update ring profile for the bulk of your users:

SettingValueRationale
Quality update deferral6 daysProvides nearly a full week of validation time before the general population receives monthly security updates.
Feature update deferral20 daysAllows almost three weeks to identify and address any compatibility or performance issues with a new Windows version.
Option to check for Windows updatesEnableProvides a consistent and empowering user experience across all rings.
Deadline for feature updates30 daysGives users a full month to install the feature update, minimizing disruption to their work.
Deadline for quality updates20 daysA generous deadline for monthly patches ensures compliance without frustrating users.
Grace period7 daysA week-long grace period allows users ample time to schedule reboots themselves.
Auto reboot before deadlineNoWe disable automatic reboots before the deadline for the general population to provide the best user experience.

Configuring Rings with Group Policy

A Note on ADMX Templates for Group Policy

To configure the modern Windows Update for Business policies described below, you must be using up-to-date Administrative Templates (ADMX files). If you are running older versions of Windows Server, the GPO editor will not show these settings.

Best Practice: Create a Central Store for your ADMX files in your domain's SYSVOL folder (\\<domain.com>\SYSVOL\<domain.com>\Policies\PolicyDefinitions). Then, download the latest ADMX templates corresponding to the newest version of Windows you are managing (e.g., Windows 11 25H2) and copy the .admx and en-US .adml files to your Central Store. This makes the new policies available to all administrators.

To mimic the "First, Fast, and Broad" rings using GPOs, you will need to create three separate GPOs and link each one to an Organizational Unit (OU) or security group containing the devices for that ring.

GPO Ring 1: Production First (1% of devices)

GPO Paths and Settings:

Policy PathPolicy NameSetting & Value
... > Windows Update > Windows Update for BusinessSelect when Quality Updates are receivedEnabled, Deferral period: 0 days
... > Windows Update > Windows Update for BusinessSelect when Preview Builds and Feature Updates are receivedEnabled, Channel: General Availability, Deferral: 0 days
... > Windows Update > Manage end user experienceSpecify deadlines for automatic updates and restartsEnabled, Quality Updates: 1 day, Feature Updates: 5 days, Grace Period: 1 day
GPO Ring 2: Production Fast (9% of devices)

GPO Paths and Settings:

Policy PathPolicy NameSetting & Value
... > Windows Update > Windows Update for BusinessSelect when Quality Updates are receivedEnabled, Deferral period: 3 days
... > Windows Update > Windows Update for BusinessSelect when Preview Builds and Feature Updates are receivedEnabled, Channel: General Availability, Deferral: 3 days
... > Windows Update > Manage end user experienceSpecify deadlines for automatic updates and restartsEnabled, Quality Updates: 7 days, Feature Updates: 7 days, Grace Period: 3 days
GPO Ring 3: Production Broad (90% of devices)

GPO Paths and Settings:

Policy PathPolicy NameSetting & Value
... > Windows Update > Windows Update for BusinessSelect when Quality Updates are receivedEnabled, Deferral period: 6 days
... > Windows Update > Windows Update for BusinessSelect when Preview Builds and Feature Updates are receivedEnabled, Channel: General Availability, Deferral: 20 days
... > Windows Update > Manage end user experienceSpecify deadlines for automatic updates and restartsEnabled, Quality Updates: 20 days, Feature Updates: 30 days, Grace Period: 7 days

GPO Setting for User Experience (Apply to all Ring GPOs)

This policy is critical to ensure a consistent, positive user experience across all rings.

Policy PathPolicy NameSetting & Value
... > Windows Update > Manage end user experienceRemove access to use all Windows Update featuresDisabled
Rationale-Disabling this policy ensures the "Check for updates" button is visible and functional in the Settings app. While deadlines enforce compliance, this empowers users to proactively seek out optional updates (e.g., C-week previews) that might resolve a specific issue they are experiencing, giving them more control and reducing helpdesk calls.

Step 3 – Create Specific Update Control Policies

While update rings manage the general cadence, separate policies provide explicit control over which updates are offered and how they are installed.

Policy A: Set the Target Feature Update Version

This is the most direct way to manage your organization's Windows version. This policy explicitly tells devices which version of Windows they should be running.

Intune Instructions:

  1. In the Intune admin center, navigate to Devices > Windows > Feature updates for Windows 10 and later.
  2. Create a new profile named _TAMUCS Production Windows 11 25H2 - Required.
  3. Under Deployment settings, select Windows 11, version 25H2.
  4. Set the Rollout options to Make update available as soon as possible.
  5. Assign this policy to all three deployment ring groups.

GPO Equivalent:

  • Path: ... > Windows Update > Windows Update for Business
  • Policy: Select the target Feature Update version
  • Settings: Enabled, Product Name: Windows 11, Target Version: 25H2.
Policy B: Manage Quality Updates and Hotpatching

For enhanced security and reduced downtime, you can enable expedited installation of quality updates and hotpatching for supported devices.

Intune Instructions:

  1. In the Intune admin center, go to Devices > Windows > Quality updates for Windows 10 and later.
  2. Create a new profile named _TAMUCS - Quality Update Baseline.
  3. Set Apply the latest cumulative quality updates for security to Allow.
  4. Set When available, apply without restarting the device ("hotpatch") to Allow.
  5. Assign this profile to all deployment rings.

(Intune is the primary method for managing hotpatching. GPO control is limited.)

Policy C: Manage Driver Updates

WUfB can also automate the deployment of recommended drivers, keeping hardware secure and functional.

Intune Instructions:

  1. In the Intune admin center, go to Devices > Windows > Driver updates for Windows 10 and later.
  2. Create a new profile named _TAMU Driver Update Baseline.
  3. Set the Approval method to Automatically approve all recommended driver updates.
  4. Set Make updates available after to 5 days.
  5. Assign this policy to your device groups.

GPO Equivalent:

  • Path: ... > Windows Update > Manage updates offered from Windows Update
  • Policy: Do not include drivers with Windows Updates
  • Setting: Set to Disabled to allow driver updates from WUfB. More granular control (like automatic approval after X days) is an Intune feature.

Step 4 – The Fully Automated Approach: Windows Autopatch

For organizations with Microsoft 365 A3+ licensing, Windows Autopatch is a service that automates all of the above. It is the recommended and most efficient way to manage updates. For a complete walkthrough of this service, refer to our detailed guide on Deploying and Managing Windows Autopatch.

How it Works:

  • Automated Ring Management: Autopatch automatically registers your devices and assigns them to a set of four pre-configured deployment rings (Test, First, Fast, Broad).
  • Managed Service: Microsoft's service engineers monitor the rollout of updates. If they detect issues, they can automatically pause or roll back the deployment.
  • Complete Lifecycle Management: Autopatch handles quality updates, feature updates, driver updates, and even Microsoft 365 Apps updates.

To enable Autopatch:

  1. Navigate to the Tenant administration blade in the Intune admin center and select Tenant enrollment under Windows Autopatch.
  2. Run the readiness assessment tool and enroll your tenant.

Understanding Policy Precedence and Avoiding Conflicts

In a modern, hybrid environment, it is common for devices to be targeted by policies from GPOs, MECM, and Intune simultaneously. Understanding which policy "wins" is critical to successful configuration and troubleshooting.

The Golden Rule

Pick one management tool for your Windows Update policies. Do not configure the same update settings in GPO, MECM, and Intune at the same time. This will lead to unpredictable behavior, conflicting registry keys, and a poor user experience. The recommended modern approach is to manage all update policies exclusively from Microsoft Intune.

The Hierarchy of Policy Enforcement

When multiple policy sources target a device, they are applied in a specific order. The last policy applied is typically the one that takes effect.

  1. On-Premises Group Policy (GPO): Highest Precedence by Default. GPO settings "tattoo" the registry. If a GPO sets the WSUS server location, it will almost always override settings from MECM or Intune unless specific countermeasures are taken. This is why the first step in any transition is to disable conflicting GPOs.

  2. Microsoft Intune (CSP): The Modern Winner. When configured correctly, Intune policies take precedence.

    • In a co-managed scenario, moving the Windows Update policies workload to Intune explicitly tells the MECM client to stop applying its update settings.
    • Intune also has a special policy (ControlPolicyConflict/MDMWinsOverGP) that can be configured to force Intune settings to win over conflicting GPO settings. This should be used as a deliberate "tie-breaker" during a transition.

  3. MECM Client Settings: Lowest Precedence in a Hybrid World. When a device is co-managed, MECM is designed to gracefully cede control of any workload that is moved to Intune. If the workload is not moved, MECM policies will apply as long as they don't conflict with a GPO.

Common Conflict Scenarios and Their Outcomes

ScenarioConflicting PoliciesResult & Explanation
Legacy GPO vs. Intune WUfBA GPO sets Specify intranet Microsoft update service location. Intune sets a WUfB deferral policy.GPO wins. WUfB fails. The device will continue to scan the on-premises WSUS server specified by the GPO. The Intune deferral policies will be ignored because the device never contacts the public Microsoft Update service.
GPO vs. MECM (Traditional Client)A GPO sets the intranet update service location. MECM client settings also assign a Software Update Point (SUP).GPO wins. MECM fails. The device will scan against the WSUS server defined in the GPO. This can cause major issues, as the MECM client may not be able to scan for or report compliance on updates if the GPO points to a different server than its assigned SUP. This is a common misconfiguration that breaks MECM software update functionality.
Co-Management: Workload on MECMMECM Client Settings deploy updates via a Software Update Group. An Intune Update Ring is also assigned to the device.MECM wins. Because the "Windows Update policies" workload is still owned by MECM, the device will ignore the Intune policies. You will see "Not Applicable" for the Intune policy status.
Co-Management: Workload on IntuneMECM Client Settings are still present. The "Windows Update policies" workload has been moved to Intune, and an Intune Update Ring is assigned.Intune wins. Moving the workload instructs the device to ignore MECM's update policies and listen only to Intune for its configuration. This is the desired state for modern management.
GPO vs. Intune with MDMWinsOverGPA GPO sets Active Hours to 8 AM-5 PM. An Intune policy sets Active Hours to 9 AM-6 PM, and the "MDM Wins Over GP" policy is also applied.Intune wins. The conflict resolution policy explicitly tells the device's configuration service provider (CSP) to prioritize the setting from the MDM (Intune) source.

Reference & FAQs

Glossary

  • WUfB – Windows Update for Business. The Microsoft cloud service for managing Windows updates.
  • Deployment Ring – A group of devices that receives updates on the same schedule.
  • Deferral – A setting that postpones the offering of an update for a specified number of days after it is released by Microsoft.
  • Deadline – A setting that enforces the installation of an update a certain number of days after it has been offered to a device.
  • Hotpatching – A technology that allows certain security updates to be applied without requiring a device reboot.
  • Autopatch – A Microsoft managed service that automates the process of keeping Windows and Microsoft 365 Apps up-to-date.
  • SUP: Software Update Point. The MECM site system role that syncs with WSUS to provide updates to clients.
  • Workload (Co-management): A specific management area (like Updates, Compliance, etc.) that can be managed by either MECM or Intune.

This guide was collaboratively developed by a human subject matter expert and an AI assistant to ensure it is both comprehensive and easy to understand.