Skip to main content

A Flexible Approach to Microsoft Update Deployments

· loading ·
Intune Windows 10 and later Updates Groups Security
Nick Benton
Principal Modern Device Management Consultant and Intune Blogger
Table of Contents


So this isn’t the first time we’ve looked at improving the management of updates using Microsoft Intune, and probably won’t be the last time either, especially with declarative device management looming, for Apple and hopefully Windows devices, covering configuration of software updates.

But with the introduction of the Windows Autopatch service, and getting hands on with it recently, it prompted me to revisit my previous approach to phased update delivery, so I thought I’d share my findings, this time across not just Windows Updates.

Deployment Approach

Previously, we configured a set of four Update Rings, but now we’ll include an early adopters ring as a pre-production release, kind of a fail safe prior to your production deployment of updates; that final catch before you target the entire device estate:

  • Test - This should be devices that are dedicated for testing, ~1% of your device estate.
  • Pilot - This should be a stratified sample of either users or devices, ~5% of your device estate.
  • Pre-Production - The early adopters deployment, ~15% of your device estate.
  • Initial Production - The first production deployment, ~30% of your device estate.
  • Final Production - The final production deployment, the remaining ~50% of the device estate.

The aim is tht the above groupings are reusable and can be used across not just Windows Updates, but Office Updates, and Driver updates too. Let’s look at the membership of these groups.

Deployment Groups

Despite Microsoft recommending to stop using the match operators in favour of startsWith there are times when you might have to ignore them, this could be one of those times when we look at how we split a device estate into the phased breakdowns we’re looking to achieve.

After testing this in the real world, with reset Autopilot Hybrid join devices, you end up with a little bit of conflict on group membership due to there being two computer objects in Entra.

To avoid this, I’ve added in (device.deviceManagementAppId -ne null) to the group rules, only capturing those devices that are actually enrolled in Microsoft Intune.

Inefficient Dynamic Groups

For the members of Test and Pilot groups, these should be targeted members, not just any old device, so ensure you populate these groups with true test devices, and suitable pilot devices for update testing.

You’ll notice that this time we’re using Dynamic Groups across all the pre-production and production groups, and using a new attribute of deviceId, which is a wonderful UUID associated with all Entra computer objects, and it being a UUID gives us a nice split of devices based on the queries used.

Group Type Membership
Test Assigned TBC
Pilot Assigned TBC
Pre-Production Dynamic Device (device.deviceManagementAppId -ne null) and (device.deviceOSType -eq "Windows") and (device.deviceOwnership -eq "Company") and (device.deviceId -match "^[0-1,a]")
Initial Production Dynamic Device (device.deviceManagementAppId -ne null) and (device.deviceOSType -eq "Windows") and (device.deviceOwnership -eq "Company") and (device.deviceId -match "^[2-4,b-c]")
Final Production Dynamic Device (device.deviceManagementAppId -ne null) and (device.deviceOSType -eq "Windows") and (device.deviceOwnership -eq "Company") and (device.deviceId -match "^[5-9,d-f]")

With the start of the deviceId only ever being in the range of 0-9 or a-f we’ve an easy way to split our devices across the three production level groups, and ensure that we are capturing all devices, using the match operator, and the regular expression similar to ^[0-9,a-f] to detect whether the deviceId starts with one of the values in the ranges provided.

You may want to tweak the rules used here, to alter the size of each of the production groups, by changing the range of the ^[0-9,a-f] query.

Efficient Dynamic Groups

If you want to please Microsoft Daddy, then you could use these alternative queries for the groups, Test and Pilot are still assigned, so don’t forget to populate those members.

Group Type Membership
Test Assigned TBC
Pilot Assigned TBC
Pre-Production Dynamic Device (device.deviceManagementAppId -ne null) and (device.deviceOSType -eq "Windows") and (device.deviceOwnership -eq "Company") and ((device.deviceId -startsWith "0") or (device.deviceId -startsWith "1") or (device.deviceId -startsWith "a"))
Initial Production Dynamic Device (device.deviceManagementAppId -ne null) and (device.deviceOSType -eq "Windows") and (device.deviceOwnership -eq "Company") and ((device.deviceId -startsWith "2") or (device.deviceId -startsWith "3") or (device.deviceId -startsWith "4") or (device.deviceId -startsWith "b") or (device.deviceId -startsWith "c"))
Final Production Dynamic Device (device.deviceManagementAppId -ne null) and (device.deviceOSType -eq "Windows") and (device.deviceOwnership -eq "Company") and ((device.deviceId -startsWith "5") or (device.deviceId -startsWith "6") or (device.deviceId -startsWith "7") or (device.deviceId -startsWith "8") or (device.deviceId -startsWith "9") or (device.deviceId -startsWith "d") or (device.deviceId -startsWith "e") or (device.deviceId -startsWith "f"))

Much more efficient.

VIP Groups

What about those people who complain about when they’re getting updates, I mean you could tell them to jog on that you can’t change the behaviour, or you could cater for the more VIP user, and allow for their device to sit in a different update group.

So more assigned groups are required for each potential exception or change to production level deployment options.

Group Type Membership
VIP Pre-Production Assigned TBC
VIP Initial Production Assigned TBC
VIP Final Production Assigned TBC

See, we can please the senior members of the company with IT solutions.

Windows Update Rings

Now with suitable groups at our disposal, we can create our Windows Update Rings in Microsoft Intune for each of the five phases, and after reviewing and experiencing Windows Update Rings personally instead of just recommending them, I’ve decided to set zero-day installation deadlines, in favour of longer grace periods, still working within the National Cyber Security Centre 14-day window.

Update Ring Deferral Deadline Grace Period Updates Installed
Test 0 days 0 days 1 day After 1 day, Wednesday
Pilot 2 days 0 days 1 day After 3 days, Friday
Pre-Production 5 days 0 days 2 days After 7 days, Tuesday
Initial Production 8 days 0 days 2 days After 10 days, Friday
Final Production 11 days 0 days 3 days After 14 days, Tuesday

You see something else new? Yes, I’ve avoided device restarts on weekends following a chat with fellow lover of Microsoft Intune, Jonathan Fallis, meaning that for a weekday based ‘working week’, updates get installed and devices restarted when the device is actually on, not over a weekend when realistically the device is still in the office and powered off, or being used to watch Netflix in bed.

This also allows for our VIP users to pick which day they actually want their device to restart, based on whatever day they’re not playing golf 🏌️‍♀️.

Office Update Rings

Oooooh this one is new, and straight up robbed from Windows Autopatch, and although doesn’t exist as a dedicated blade in Microsoft Intune, we can use the glorious Settings Catalog profiles to configure Office Update Channels, deferral, and deadline settings for Microsoft 365 App updates.

To start, we need to configure some baseline settings. So go create yourself a new Settings Catalog profile, and throw the below settings into it, the settings exist under Microsoft Office 2016 (Machine) > Updates.

Setting Detail
Location for updates: (Device)
Enable Automatic Updates Enabled
Hide option to enable or disable updates Enabled
Hide Update Notifications Disabled
Update Channel Enabled
Channel Name (Device) Monthly Enterprise Channel
Update Path Enabled

With the update channel configured to Monthly Enterprise, and a bit of a change to the user experience, let’s see what else we can borrow.

Make sure you assign this to all your devices in scope of updates, using either an existing group, or the built in ‘All Devices’ group and a suitable Device Filter.

Phased Office Updates

With a similar approach to the Windows Update Rings, we can create corresponding Settings Catalog profiles for our five deployment phases, aligning as best we can the end result, which is installed updates, to the restart of the updates delivered as part of the Windows Update ring configuration.

All settings exist under Microsoft Office 2016 (Machine) > Updates.

Update Ring Delay downloading and installing updates for Office Days: (Device) Update Deadline Deadline: (Device) Updates Installed
Test Enabled 0 Enabled 1 After 1 day, Wednesday
Pilot Enabled 2 Enabled 1 After 3 days, Friday
Pre-Production Enabled 5 Enabled 2 After 7 days, Tuesday
Initial Production Enabled 8 Enabled 2 After 10 days, Friday
Final Production Enabled 11 Enabled 3 After 14 days, Tuesday

As Office Updates are released with the same update cadence as our normal updates on a ‘Patch Tuesday’, then the installation time falls on the same days, meaning that all updates should be installed and the device restarted on the same day, reducing overall disruption to the users.

Update Ring Assignment

After creating the Windows Update Rings, and our faux Office Update Rings using the above settings, we cover how we assign our phased deployment groups to each suitable Update Ring.

Feel free to alter the deferral, deadline, and grace periods where applicable to your device estate, but please if you want the experience to be as expected, use the below assignment targets.
Update Ring Included Groups Excluded Groups
Test Test -
Pilot Pilot Test
Pre-Production Pre-Production Test, Pilot
Initial Production Initial Production Test, Pilot
Final Production Final Production Test, Pilot

I’m assuming here that you aren’t putting VIP user devices in Test and Pilot, because you don’t want to anger them, maybe do it on your last day 😅.

This is an improvement on our previous version of Update Ring assignment, as we’re not relying on excludes and dynamic groups to update to ensure there are no conflicts.

VIP Ring Assignment

To get the expected behaviour for our VIP groups, we need to consider what happens when we want to ensure a VIP device is in the correct Update Ring, which includes making sure there are no conflicts across the rings.

Changing the assignments of our Update Rings to the below, will allow for the manual assignment based on a devices VIP group membership.

Update Ring Included Groups Excluded Groups
Test Test -
Pilot Pilot Test
Pre-Production Pre-Production, VIP Pre-Production Test, Pilot, VIP Initial Production, VIP Final Production
Initial Production Initial-Production, VIP Initial-Production Test, Pilot, VIP Pre-Production, VIP Final Production
Final Production Final Production, VIP Final Production Test, Pilot, VIP Pre-Production, VIP Initial Production

For example if device name VIP-7wa7f4c35, with deviceId ec759183-4492-44f4-a2ec-dbc33470bf48 (which will captured by the ‘Final Production’ dynamic group), is added to group VIP Initial Production, it will exclude the device from the ‘Final Production’ Update Ring, and assign the Update Ring for ‘Initial Production’, with the device restarting after updates on a Friday.

Adding in not only new include assignments, but exclude assignments, will ensure that devices in these groups are assigned to the correct Update Ring.


All of this should give you the option to not only suitably phase Windows, Microsoft, and Office Updates, with each subsequent Update Ring starting only after the next, but also allow the shift of devices around without conflict, whether this is for VIP users or otherwise.

It also provides your end users with clear details of the days of when their device will not only get updated, but also restart, without too much of a headache, or interruption to their casual personal use of their corporate owned device.


Intelligent Phased Windows Update for Business Deployments
· loading
Intune Windows 10 and later Updates Groups Security
You might have been asked the question, especially from organisations that currently utilise Microsoft Configuration Manager, about how you mimic existing Device Collections used for Software Update deployments in Microsoft Intune..
Keeping Windows Store Apps Updated with Microsoft Intune
· loading
Intune Windows 10 and later Updates Remediation Apps PowerShell Windows Autopilot Security
Now we all love the new Windows Store, especially for deploying applications from Microsoft Intune, but we should find a way to keep these UWP applications up to date without additional license cost.
Updating Defender Antivirus Compliance Settings
· loading
Intune Windows 10 and later Microsoft Defender Security Compliance Updates Antivirus Graph API PowerShell
We’re going to have a look at updating a Microsoft Defender compliance policy with the latest platform update version, automatically.