Windows Update

Article
03/03/2025

Microsoft Intune and Intune for Education can configure many Windows Update configuration settings. This article summarizes the configurations that are most commonly used for student and teacher devices.

Use Microsoft Intune or Intune for Education to manage the install of Windows 10/11 software updates from Windows Update for Business. You can configure update settings on devices and configure deferral of update installation. You can also prevent devices from installing features from new Windows versions to help keep them stable, while allowing those devices to continue installing updates for quality and security.

Update rings for Windows 10 and later

Update ring policies are a collection of settings that configure when devices that run Windows 10 and Windows 11 updates get installed.

To learn more, see:

Settings
Create policy using Graph Explorer

Update settings	Value	Notes	CSP
Microsoft product updates	Allow	Don't set to Block. In order to revert the configuration, PowerShell commands have to be run on each device.	AllowMUUpdateService
Windows drivers	Allow		ExcludeWUDriversInQualityUpdate
Quality update deferral period (days)	7		DeferQualityUpdatesPeriodInDays
Feature update deferral period (days)	30	Select 0 if using a Feature update policy otherwise select 30 days.	DeferFeatureUpdatesPeriodInDays
Upgrade Windows 10 devices to Latest Windows 11 release	No		ProductVersion
Set feature update uninstall period (2 - 60 days)	14		ConfigureFeatureUpdateUninstallPeriod
Enable pre-release builds	Not configured		ManagePreviewBuilds

User experience settings	Value	Notes	CSP
Automatic update behavior	Reset to default	Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. Note: If Windows Update policy is configured via the settings catalog, the value should be Auto install and restart.	AllowAutoUpdate
Restart checks (EDU Restart)	Allow	Must not be disabled in existing Windows Update Rings. This setting is no longer available when creating a new Windows Update Ring policy.	SetEDURestart
Option to pause Windows updates	Disable		SetDisablePauseUXAccess
Option to check for Windows updates	Disable		SetDisableUXWUAccess
Change notification update level	Turn off all notifications, excluding restart warnings		UpdateNotificationLevel
Use deadline settings	Allow	Only enables the setting configuration.
Deadline for feature updates	7		ConfigureDeadlineForFeatureUpdates
Deadline for quality updates	3		ConfigureDeadlineForQualityUpdates
Grace period	2		ConfigureDeadlineGracePeriod ConfigureDeadlineGracePeriodForFeatureUpdates
Auto reboot before deadline	Yes		ConfigureDeadlineNoAutoReboot

Use Graph to create the settings catalog policy in your tenant without assignments or scope tags.

This will create a policy in your tenant with the name _MSLearn_Example_CommonEDU - Windows - Update ring.

POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
Content-Type: application/json

{"@odata.type":"#microsoft.graph.windowsUpdateForBusinessConfiguration","id":"","displayName":"_MSLearn_Example_CommonEDU - Windows - Update ring","description":"https://aka.ms/ManageEduDevices","roleScopeTagIds":["0"],"microsoftUpdateServiceAllowed":true,"driversExcluded":false,"qualityUpdatesDeferralPeriodInDays":7,"featureUpdatesDeferralPeriodInDays":30,"allowWindows11Upgrade":false,"qualityUpdatesPaused":false,"featureUpdatesPaused":false,"businessReadyUpdatesOnly":"userDefined","skipChecksBeforeRestart":false,"automaticUpdateMode":"windowsDefault","installationSchedule":null,"userPauseAccess":"disabled","userWindowsUpdateScanAccess":"disabled","updateNotificationLevel":"restartWarningsOnly","updateWeeks":null,"featureUpdatesRollbackWindowInDays":14,"deadlineForFeatureUpdatesInDays":7,"deadlineForQualityUpdatesInDays":3,"deadlineGracePeriodInDays":2,"postponeRebootUntilAfterDeadline":false,"engagedRestartDeadlineInDays":null,"engagedRestartSnoozeScheduleInDays":null,"engagedRestartTransitionScheduleInDays":null,"engagedRestartSnoozeScheduleForFeatureUpdatesInDays":null,"engagedRestartTransitionScheduleForFeatureUpdatesInDays":null,"autoRestartNotificationDismissal":"notConfigured","scheduleRestartWarningInHours":null,"scheduleImminentRestartWarningInMinutes":null}

Click Try it to open Graph Explorer.
Once Graph Explorer is open, select the user icon in the top right to sign-in and sign in with your Intune administrator organizational account.
Click Run query to create the policy in your tenant.

Tip

If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires DeviceManagementConfiguration.ReadWrite.All permissions. You can grant the required permissions by selecting modify permissions and then selecting Consent.
The policy is created in your tenant and can be edited to meet your requirements before assigning to groups.

Settings catalog

Settings described in this section aren't available in an Update ring policy and should be configured using a settings catalog type configuration profile.

To learn more, see Use the settings catalog to configure settings on Windows, iOS/iPadOS, and macOS devices.

Tip

When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.

Settings
Create policy using Graph Explorer

Category	Name	Value	Notes	CSP
Windows Update For Business	No update notifications during active hours	Enabled		NoUpdateNotificationsDuringActiveHours

Use Graph to create the settings catalog policy in your tenant without assignments or scope tags.

This will create a policy in your tenant with the name _MSLearn_Example_CommonEDU - Windows - Updates.

POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
Content-Type: application/json

{"name":"_MSLearn_Example_CommonEDU - Windows - Updates","description":"https://aka.ms/ManageEduDevices","platforms":"windows10","technologies":"mdm","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_update_noupdatenotificationsduringactivehours","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_update_noupdatenotificationsduringactivehours_1","children":[]}}}]}

Click Try it to open Graph Explorer.
Once Graph Explorer is open, select the user icon in the top right to sign-in and sign in with your Intune administrator organizational account.
Click Run query to create the policy in your tenant.

Tip

If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires DeviceManagementConfiguration.ReadWrite.All permissions. You can grant the required permissions by selecting modify permissions and then selecting Consent.
The policy is created in your tenant and can be edited to meet your requirements before assigning to groups.

Windows Update Feature Control

Windows feature updates contain new Windows features to improve the user experience. Windows feature versions are supported differently depending on the edition. It's important to ensure that the Windows version installed remains supported so that it can receive the latest security updates and support required applications such as testing apps.

Use the support lifecycle websites for each Windows operating system version and edition:

There are two ways to control how and when Windows feature updates are installed on Windows.

Feature update control type	Configuration	Advantages	Disadvantages
Automatically keep up to date (recommended)	Use only Update ring policies and set a feature update deferral to 30 or more days	Devices are always kept up to date and receive access to the latest Windows features	Users may not have had training on new features, and some apps may not be compatible with the new feature version
Control feature version	Use feature update policies to keep devices at a particular version of Windows	Devices are kept at a particular Windows version until the policy is changed	The policy must be reviewed and changed periodically to ensure Windows remains supported

Automatically keep Windows up to date

Using the update ring you configured earlier, set the Feature update deferral period (days) to 30 days. The deferral period can be increased or decreased based on the school needs.

Control feature version

A Feature update policy can be configured to set devices to a particular version of Windows. Devices running older versions of Windows will update to the specified version. Devices with newer versions of Windows won't perform any feature updates.

To set a feature update policy:

Sign in to the Microsoft Intune admin center.
Select Devices > By platform > Windows > Manage updates > Windows 10 and later updates > Feature updates tab > Create profile.
Under Deployment settings:
- Specify a name, a description (optional), and for Feature update to deploy, select the version of Windows with the feature set you want, and then select Next.
- Configure Rollout options to As soon as possible.
Under Assignments, choose + Select groups to include and then assign the feature updates deployment to one or more device groups. Select Next to continue.
Under Review + create, review the settings. When ready to save the Feature updates policy, select Create.

Warning

If you don't review the feature update version at least every 18 months, your Windows devices may no longer receive security updates. Ensure you review and update the feature version to stay supported.

Share via