This chapter covers Windows Update for Business (WUfB) and update rings, a critical topic for managing Windows updates in Microsoft 365 environments. For the MS-102 exam, approximately 10-15% of questions in Domain 2.4 (Endpoint Management) relate to update policies, deferrals, and deployment rings. You will need to understand how to configure update rings via Microsoft Intune, the difference between quality and feature updates, and how WUfB interacts with Windows Server Update Services (WSUS) and Configuration Manager. Mastery of this topic ensures you can design a safe, phased update deployment that minimizes disruption while maintaining security compliance.
Jump to a section
Imagine a car rental company with 10,000 vehicles. Each car needs periodic maintenance (oil changes, tire rotations, software updates). Instead of bringing every car to the shop on the same day—which would overwhelm the service center—the company uses a staggered schedule. Each car is assigned to a 'maintenance ring' based on its model year and usage. Ring 1 (test fleet) gets updates first: only 100 cars, monitored closely. If no issues arise after 7 days, Ring 2 (early adopters) gets the update: 1,000 cars. After 14 more days, Ring 3 (broad deployment) updates 5,000 cars. Finally, Ring 4 (critical systems) updates the remaining 3,900 cars after 30 days. The company can also set a 'deadline'—if a car hasn't gotten the update by a certain date, it is forced into the shop. This mirrors Windows Update for Business: update rings define deferral periods and deadlines, and devices are grouped into rings to control rollout pace. Just like the rental company avoids service gridlock, IT avoids network congestion and ensures stability by gradually deploying updates.
What is Windows Update for Business?
Windows Update for Business (WUfB) is a cloud-based update management service that allows IT administrators to control the rollout of Windows updates to devices running Windows 10 or Windows 11. It eliminates the need for on-premises update infrastructure like WSUS by leveraging the Windows Update service directly. WUfB is configured via Group Policy or Microsoft Intune, and it is a key component of Microsoft's Modern Device Management strategy.
Why WUfB Exists
Before WUfB, organizations had two primary options: allow all updates to install immediately (risking instability) or use WSUS to manually approve and deploy updates (complex and resource-intensive). WUfB provides a middle ground—cloud-managed, policy-driven update control with built-in safety mechanisms like deployment rings and gradual rollouts. It is designed for organizations that want to stay current with Windows updates without the overhead of on-premises management.
How WUfB Works Internally
When a device is configured with a WUfB policy, it contacts the Windows Update service directly (not WSUS) to check for updates. The policy defines: - Update rings: Groups of devices that receive updates at different times. - Deferral periods: How long to wait after Microsoft releases an update before installing it. - Deadlines: A date by which the update must be installed. - Pause dates: Temporarily stop updates for troubleshooting.
The device downloads updates from Microsoft's content delivery network (CDN) or from peer devices if Delivery Optimization is enabled. The update is installed according to the policy's schedule. If a device misses a deadline, it will force a reboot (with user notifications) to complete installation.
Key Components and Defaults
- Deferral Periods (in days): - Quality updates: Default 0 days. Can be set from 0 to 30 days. - Feature updates: Default 0 days. Can be set from 0 to 365 days. - Driver updates: Default 0 days. Can be set from 0 to 30 days. - Deadlines: - Quality update deadline: Default 0 days (no deadline). Can be set from 0 to 30 days. - Feature update deadline: Default 0 days. Can be set from 0 to 30 days. - Grace period: After deadline, user can postpone reboot up to 7 days by default (configurable 0-7 days). - Pause: Can pause quality updates for up to 35 days, feature updates for up to 60 days. - Update rings in Intune: Each ring has a name, description, and settings for deferrals, deadlines, and pause. Up to 10 rings per tenant? (No hard limit, but practical limit is around 10-20 for manageability). - Delivery Optimization: Used for peer-to-peer sharing. Can be configured via policy (e.g., LAN only, group, internet).
Configuration via Intune
To create an update ring in Intune: 1. Navigate to Devices > Windows > Update rings > Create profile. 2. Assign a name and description. 3. Configure settings: - Update ring settings: Deferrals, deadlines, pause. - User experience settings: Restart behavior, reminder notifications. - Delivery Optimization: Download mode, bandwidth limits. 4. Assign the ring to Azure AD groups.
Example of a ring configuration for a pilot group:
Quality update deferral: 0 days (immediate)
Feature update deferral: 60 days
Quality update deadline: 5 days
Feature update deadline: 14 days
Grace period: 2 days
Verification Commands
On a Windows device, you can verify WUfB policy using:
Get-WindowsUpdateLogOr check registry keys under:
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdateAlso, use gpresult /h gp.html to see applied Group Policies.
Interaction with Related Technologies
WSUS: If both WUfB and WSUS policies are applied, WSUS takes precedence. WUfB will not work if the device is configured to use WSUS (registry key WUServer is set).
Configuration Manager: Co-managed devices can have update management switched to Intune (WUfB) via the co-management slider.
Microsoft Defender for Endpoint: Can trigger updates based on threat intelligence (e.g., expedite updates for critical vulnerabilities).
Windows Update for Business reports: Available in Azure portal (via Log Analytics) to monitor update compliance and deployment progress.
Update Rings Best Practices
Ring 1 (Test): 1-5% of devices, IT staff and testers. Deferrals: 0 days for quality, 0-30 days for feature. Deadline: 2-3 days.
Ring 2 (Early Adopters): 10-20% of devices, power users. Deferrals: 2-5 days for quality, 60-90 days for feature. Deadline: 5-7 days.
Ring 3 (Broad): 70-80% of devices. Deferrals: 7-14 days for quality, 180 days for feature. Deadline: 7-14 days.
Ring 4 (Critical): Remaining devices, executives, or critical systems. Deferrals: 14-30 days for quality, 365 days for feature. Deadline: 14-30 days.
Common Pitfalls
Deferral vs. Deadline: Deferral delays the initial installation; deadline forces installation by a date. Confusing these leads to unintended behavior.
Pause: Pausing updates stops all updates for the specified period, but cumulative updates may still be required after resume.
Feature updates: These are major releases (e.g., 22H2). They require more testing and longer deferrals.
Delivery Optimization: If misconfigured, can cause bandwidth issues or security concerns (e.g., peer-to-peer over the internet).
Exam Note
The MS-102 exam tests your ability to configure update rings in Intune, understand deferral and deadline settings, and troubleshoot common issues. Expect scenario-based questions where you must choose the correct ring configuration for a given deployment phase.
1. Plan Update Ring Strategy
Determine the number of rings and their composition. Typically, 3-4 rings are used: Test, Early Adopters, Broad, and Critical. Decide deferral periods based on risk tolerance. For example, quality updates: Ring 1 defer 0 days, Ring 2 defer 5 days, Ring 3 defer 14 days, Ring 4 defer 30 days. Document the rollout schedule. This step is crucial because it defines the update experience for all devices.
2. Create Azure AD Groups
Create Azure AD groups that will be assigned to each ring. Use dynamic groups based on device attributes (e.g., device model, OS version, department) or static groups. For example, create a group 'Windows Update Ring 1 - Test' with membership rule: (device.deviceOwnership -eq 'Corporate') and (device.deviceCategory -eq 'Test'). Groups must be Azure AD joined or hybrid Azure AD joined. Ensure groups are populated correctly before assigning policies.
3. Configure Update Rings in Intune
In Microsoft Intune, navigate to Devices > Windows > Update rings and create a new profile. Fill in the settings: name, description, deferral periods for quality and feature updates, deadlines, grace periods, and pause settings. Also configure user experience settings like restart warnings and notifications. For example, set 'Automatic update behavior' to 'Auto install at maintenance time' and 'Restart checks' to 'Allow'. Save the policy.
4. Assign Update Rings to Groups
After creating the update ring profile, assign it to the corresponding Azure AD group. In the profile, select 'Assignments' and add the group. The policy will apply to all devices in the group. Multiple rings can be assigned to overlapping groups, but the most restrictive policy wins (e.g., shortest deferral). Ensure no device is in two rings with conflicting settings.
5. Monitor and Adjust Rollout
Use Windows Update for Business reports in Azure (via Log Analytics) or Intune reporting to monitor update compliance. Check for devices that are failing to update, stuck on pending reboot, or not reporting. If issues arise in a ring, you can pause updates for that ring (up to 35 days for quality, 60 for feature). Adjust deferrals or deadlines as needed. After the ring is stable, proceed to the next ring.
Enterprise Scenario 1: Large Financial Institution
A bank with 50,000 Windows 10/11 devices needed to deploy monthly quality updates without disrupting trading systems. They created four update rings: Ring 1 (500 IT staff), Ring 2 (5,000 power users), Ring 3 (40,000 general staff), Ring 4 (4,500 trading floor machines). Ring 1: defer 0 days, deadline 2 days. Ring 2: defer 7 days, deadline 7 days. Ring 3: defer 14 days, deadline 14 days. Ring 4: defer 30 days, deadline 30 days with a 7-day grace period. They used Delivery Optimization with Group mode to reduce bandwidth. The rollout took 30 days per quality update. A common issue was that some trading floor machines had WSUS legacy policies that overrode WUfB; they removed the WUServer registry key via PowerShell script. Another issue: devices in Ring 4 that missed the deadline due to being offline were forced to reboot during trading hours; they extended the grace period to 3 days and used active hours to prevent reboots during market hours.
Enterprise Scenario 2: Global Retail Chain
A retailer with 20,000 devices across 500 stores used only two rings: Ring 1 (store managers and IT) and Ring 2 (all other devices). They set feature update deferral to 180 days for Ring 2 to avoid major OS changes during holiday seasons. They used Intune to enforce a deadline of 14 days for quality updates. However, they found that many store devices were offline for days due to network issues. They configured the 'Allow updates to be installed on metered connections' setting to ensure updates downloaded when connected. They also used Windows Update for Business reports to identify devices that were not reporting and discovered that some devices had third-party antivirus blocking Windows Update. They added exclusions. The retailer also used Delivery Optimization to allow peer-to-peer within stores, but had to disable it for stores with poor Wi-Fi.
Common Misconfigurations
Conflicting policies: Devices may have both WUfB and WSUS policies. WSUS wins, causing updates to not come from Windows Update. Always remove WSUS settings.
Deadline too tight: Setting a 1-day deadline for a large ring causes forced reboots and user complaints. Use at least 7 days.
Not testing feature updates: Deploying a new OS version without testing can break line-of-business apps. Use feature update deferral of 60+ days for broad rings.
Insufficient reporting: Without monitoring, you won't know which devices failed to update. Set up Windows Update for Business reports and alerts.
What MS-102 Tests on This Topic
MS-102 objective 2.4: 'Manage Windows update policies using Windows Update for Business and update rings.' The exam expects you to:
Configure update rings in Microsoft Intune, including deferral periods, deadlines, and pause settings.
Understand the difference between quality updates and feature updates.
Know default values and valid ranges for deferrals and deadlines.
Troubleshoot common issues like devices not receiving updates, conflicts with WSUS, or failed rollouts.
Interpret scenario-based questions to choose the correct ring configuration.
Common Wrong Answers and Why
Choosing 'Deferral' when the question asks for 'Deadline': Many candidates confuse these terms. Deferral delays the start; deadline forces completion by a date. The exam might say 'You need to ensure updates are installed within 7 days of release' – that's a deadline, not a deferral.
Setting feature update deferral to 0 days for all devices: Feature updates are major releases; immediate deployment is risky. The correct answer often involves a longer deferral for broad rings.
Assuming WUfB works with WSUS: WUfB and WSUS are mutually exclusive. If WSUS is configured, WUfB settings are ignored. The exam may present a scenario where devices are not receiving updates and you must identify that WSUS is blocking.
Pausing updates indefinitely: Pause is limited to 35 days for quality and 60 days for feature updates. After that, updates resume. Candidates may think pause is unlimited.
Specific Numbers to Memorize
Quality update deferral range: 0-30 days
Feature update deferral range: 0-365 days
Quality update deadline range: 0-30 days
Feature update deadline range: 0-30 days
Grace period range: 0-7 days
Quality update pause: up to 35 days
Feature update pause: up to 60 days
Default deferral: 0 days for both
Default deadline: 0 days (no deadline)
Default grace period: 7 days
Edge Cases the Exam Loves
Devices not in a ring: If a device is not assigned to any update ring, it receives updates according to its default Windows Update settings (automatic). The exam may ask how to ensure all devices are managed – answer: assign all devices to at least one ring.
Co-management: If a device is co-managed with Configuration Manager and the update workload is set to 'Intune', WUfB applies. If set to 'Configuration Manager', WUfB is ignored.
Delivery Optimization conflicts: If a device has multiple Delivery Optimization policies (e.g., from Group Policy and Intune), the most restrictive wins. The exam may test this.
Feature updates via Windows 11 readiness: Some questions involve Windows 11 upgrade rings. Feature update deferral applies to Windows 11 feature updates as well.
How to Eliminate Wrong Answers
Read the question carefully: note whether it asks for 'deferral' or 'deadline'.
Look for clues about risk tolerance: 'minimize disruption' suggests longer deferrals and deadlines.
If the scenario mentions 'test group', the correct answer will have short deferrals (0-2 days).
If the scenario mentions 'compliance requirement', look for a deadline setting.
Eliminate options that mix up quality and feature update settings (e.g., applying a 180-day deferral to quality updates, which is invalid).
Windows Update for Business (WUfB) manages Windows updates via cloud policies, eliminating the need for WSUS.
Update rings control rollout pace: test groups get updates first, broad groups later.
Quality updates (monthly security patches) have deferral range 0-30 days; feature updates (OS upgrades) have deferral range 0-365 days.
Deadlines force installation by a specified date; default is 0 days (no deadline). Grace period after deadline is 0-7 days (default 7).
Pause quality updates for up to 35 days; feature updates for up to 60 days.
Devices must be Azure AD joined or hybrid Azure AD joined for Intune-managed WUfB.
WSUS and WUfB are mutually exclusive; if WSUS is configured, WUfB settings are ignored.
Delivery Optimization can be used to reduce bandwidth via peer-to-peer sharing within the network.
Windows Update for Business reports are available in Azure Log Analytics or Intune reports, not in M365 admin center.
If a device is in multiple rings, the most restrictive policy (longest deferral, shortest deadline) applies.
These come up on the exam all the time. Here's how to tell them apart.
Windows Update for Business (WUfB)
Cloud-based, no on-premises infrastructure required.
Devices download updates directly from Microsoft CDN.
Configured via Intune or Group Policy.
Supports gradual rollout via update rings.
Automatic updates, no manual approval needed.
Windows Server Update Services (WSUS)
On-premises server required for downloading and distributing updates.
Devices download from local WSUS server, reducing internet bandwidth.
Configured via WSUS console and Group Policy.
Manual approval of updates for different groups.
Full control over which updates are approved and when.
Mistake
Windows Update for Business requires Windows 10 Enterprise or Education edition.
Correct
WUfB is supported on Windows 10 Pro, Enterprise, and Education editions. Windows 10 Home does not support WUfB policies. For Windows 11, same editions apply. The exam may test that Pro edition is supported.
Mistake
Setting a deferral of 30 days means the update will be installed exactly 30 days after release.
Correct
Deferral means the device will not be offered the update until after the deferral period. But the actual installation depends on when the device checks for updates and the deadline setting. If no deadline is set, the update may be installed later (e.g., during maintenance hours). The device might install it on day 31 or later.
Mistake
Pausing updates will stop all updates, including security patches, indefinitely.
Correct
Pause is temporary: up to 35 days for quality updates and 60 days for feature updates. After that period, the pause automatically expires and updates resume. Also, some critical updates (e.g., out-of-band security fixes) may bypass the pause. The exam may test the maximum pause duration.
Mistake
If a device is assigned to multiple update rings, it will receive updates based on the least restrictive settings.
Correct
When a device is in multiple rings, the most restrictive policy wins (i.e., the one with the longest deferral or earliest deadline). This is because Intune merges policies and applies the most restrictive. The exam may present a conflict scenario.
Mistake
Windows Update for Business reports are available in the Microsoft 365 admin center.
Correct
WUfB reports are available in the Azure portal (via Log Analytics) or through the Intune console (under Reports > Windows update compliance). They are not in the M365 admin center. The exam may ask where to find update compliance data.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A deferral delays the initial offering of an update to a device. For example, a 7-day deferral means the device won't see the update until 7 days after Microsoft releases it. A deadline specifies the latest date by which the update must be installed. If a device hasn't installed the update by the deadline, it will be forced to install and possibly reboot. Deferral controls when the update starts; deadline controls when it must finish. In the exam, remember that deferral values are in days (0-30 for quality, 0-365 for feature) and deadlines are also in days (0-30).
No, they are mutually exclusive. If a device has the WSUS server configured (registry key 'WUServer' or Group Policy setting 'Specify intranet Microsoft update service location'), it will ignore WUfB policies and download updates from the WSUS server instead. To use WUfB, you must remove the WSUS configuration. In co-managed environments, you can switch the update workload to Intune (WUfB) via the co-management slider in Configuration Manager.
In Intune, go to Devices > Windows > Update rings, select the ring, then click 'Pause'. You can pause quality updates for up to 35 days and feature updates for up to 60 days. The pause applies to all devices in that ring. You can also set a pause start date and end date. After the pause expires, updates resume automatically. Note that pausing does not prevent critical out-of-band updates.
If a device does not install the update by the deadline, Windows will force the installation and schedule a reboot. The user receives notifications before the reboot. The grace period setting (0-7 days) allows the user to postpone the reboot for up to that many days after the deadline. After the grace period expires, the reboot is forced. The exam may test that the default grace period is 7 days.
You can use Windows Update for Business reports in the Azure portal (requires Log Analytics) or the built-in Intune reports under Devices > Windows > Update rings > Reports. These reports show devices that are up to date, pending update, or in error. You can also export data to CSV. The exam may ask which tool to use for compliance monitoring.
Yes, WUfB supports both Windows 10 and Windows 11. Feature updates for Windows 11 are managed the same way: you set a deferral period (0-365 days) and deadline. You can also use update rings to gradually deploy Windows 11 upgrades. Note that Windows 11 has hardware requirements (TPM 2.0, Secure Boot) that must be met; WUfB does not bypass these requirements.
There is no hard limit documented by Microsoft, but practical limits are around 10-20 rings per tenant for manageability. Each ring can have up to 999 assignments (groups). The exam may not test a specific number, but know that you can create multiple rings.
You've just covered Windows Update for Business and Update Rings — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?