Most of the Windows patching pain I see at SMB sites isn’t a Windows problem. It’s a governance problem.
Devices are enrolled. Updates are technically arriving. But there’s no ring. No pilot. No deadline. Patch Tuesday lands, somebody’s accounting machine reboots in the middle of a BAS run, the partner blames “Windows”, and the whole patching conversation gets put off for another quarter.
That’s not a tooling gap. That’s a configuration gap.
And here’s the kicker — Microsoft renamed the whole thing in April 2025. Windows Update for Business is now Windows Update Client Policies, and the deployment service is folded into Windows Autopatch, which is now included with Microsoft 365 Business Premium. If you’re still hand-rolling rings on a Business Premium tenant and ignoring Autopatch, you’re doing more work than you need to.
What update rings really are
An update ring is a Windows Update client policy. It tells the Windows Update client on the device when to look, how long to wait, when to install, and when to reboot. Nothing more.
It’s not a patch repository. It’s not a scanner. It’s a set of timing instructions the device honours when it talks to Microsoft’s update endpoints.
Once you accept that, the rest gets simpler. You’re not pushing patches. You’re staging trust.
Step-by-Step: build a three-ring rollout in Intune
Portal only. No PowerShell.
Open the unified updates dashboard
Sign in to intune.microsoft.com, then go to Devices > By platform > Windows > Manage updates > Windows updates and click the Update rings tab. This is the new unified surface — Microsoft’s docs on managing update rings live here.
Create the Pilot ring
Click Create profile. Name it WUR – Pilot. Quality update deferral: 0 days. Feature update deferral: 0 days. Automatic update behaviour: Auto install at maintenance time. Deadline for quality: 2. Deadline for feature: 2. Grace period: 2.
Assign to a device group of 3-5 representative machines. Not user groups. Devices.
Create the Broad ring
Same shape. Name it WUR – Broad. Quality deferral: 3. Feature deferral: 7. Same deadline/grace as Pilot. Assign to the bulk of your fleet.
Create the Critical ring
WUR – Critical. Quality deferral: 7. Feature deferral: 30. Assign to the boss’s machine, the EFTPOS PC, the design workstation — whatever you can’t afford to surprise.
Three rings. That’s it. Don’t build five.
The deferral / deadline / grace mental model
People get this wrong constantly. Here’s the model in one block.
Deferral → how many days AFTER Microsoft releases the update
before the device is even offered it.
Deadline → how many days AFTER the device sees the update
before it's force-installed.
Grace → how many days AFTER install before reboot is forced.Notice what’s missing? Patch Tuesday as a reference point. The deadline counts from when that device scanned and saw the update — not the calendar. Microsoft moved to this model deliberately to make restart timing predictable across a fleet.
Set them. Don’t leave any of the three blank. Blank means forever on a sleepy laptop.
Why this actually changes behaviour
The mistake isn’t choosing the wrong deferral. The mistake is leaving the pause button in users’ hands.
In the ring settings, set Option to pause Windows updates to Disable. Otherwise a user can park their patches for 35 days, and you’ll find out at the next quarterly review.
Set automatic update behaviour to Auto install at maintenance time with active hours configured. The device patches itself. The user keeps their day. The MSP stops being the villain.
“Why do my updates keep nagging me?”
They don’t, anymore. You set active hours. The reboot finds its time, not yours.
Copilot doesn’t get tired. Neither does Windows Update. Use that.
A word on Autopatch
If the tenant is Business Premium, you now get the full Windows Autopatch service — rings auto-built, rollback on signal, 95% currency SLO. On those tenants, don’t assign hand-built rings to Autopatch-managed devices. They’ll fight each other.
My recommendation? Business Premium tenants → Autopatch. Everything else → three rings, the shape above, locked down so users can’t pause.
Update rings aren’t there to slow patching down. They’re there to remove the conversation about patching completely.
If your clients are still asking when their machines will reboot, you haven’t finished the job.
CIAOPS 