From 72aa33a82e279cc564b88fe52e1ea8bc632e0a75 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 16 Dec 2025 11:45:25 -0500
Subject: [PATCH 001/139] metadata updates. initial outline
---
intune/device-updates/android/fota-updates.md | 3 -
.../android/software-updates-guide.md | 3 -
.../zebra-lifeguard-ota-integration.md | 3 -
intune/device-updates/apple/index.md | 3 -
intune/device-updates/apple/reports.md | 3 -
.../software-updates-guide-ios-ipados.md | 3 -
.../apple/software-updates-guide-macos.md | 3 -
.../apple/software-updates-ios.md | 3 -
.../apple/software-updates-macos.md | 3 -
.../byod-software-updates-guide.md | 3 -
.../windows/compatibility-reports.md | 5 -
intune/device-updates/windows/configure.md | 4 -
.../windows/driver-updates-overview.md | 5 -
.../windows/driver-updates-policy.md | 5 -
.../windows/expedite-updates.md | 4 -
.../device-updates/windows/feature-updates.md | 4 -
intune/device-updates/windows/index.md | 92 +++++++++++++++++++
.../windows/quality-updates-policy.md | 1 -
intune/device-updates/windows/reports.md | 5 -
.../device-updates/windows/rollout-options.md | 4 -
intune/device-updates/windows/settings.md | 4 -
.../software-update-agent-error-codes.md | 3 -
intune/device-updates/windows/toc.yml | 3 +
intune/device-updates/windows/update-rings.md | 4 -
intune/docfx.json | 2 +
25 files changed, 97 insertions(+), 78 deletions(-)
create mode 100644 intune/device-updates/windows/index.md
diff --git a/intune/device-updates/android/fota-updates.md b/intune/device-updates/android/fota-updates.md
index d3d9708e7e..836a8a5e11 100644
--- a/intune/device-updates/android/fota-updates.md
+++ b/intune/device-updates/android/fota-updates.md
@@ -5,9 +5,6 @@ ms.date: 04/09/2025
ms.topic: how-to
ms.reviewer: jieyan
ms.subservice: suite
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Android FOTA Updates
diff --git a/intune/device-updates/android/software-updates-guide.md b/intune/device-updates/android/software-updates-guide.md
index 4c293df7df..4b1aeb38f4 100644
--- a/intune/device-updates/android/software-updates-guide.md
+++ b/intune/device-updates/android/software-updates-guide.md
@@ -4,9 +4,6 @@ description: Guidance and advice for administrators that create and manage softw
ms.date: 05/29/2024
ms.topic: how-to
ms.reviewer: ahamil, talima, mandia
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Software updates planning guide for managed Android Enterprise devices in Microsoft Intune
diff --git a/intune/device-updates/android/zebra-lifeguard-ota-integration.md b/intune/device-updates/android/zebra-lifeguard-ota-integration.md
index 65f8a4c0d6..4a1121602b 100644
--- a/intune/device-updates/android/zebra-lifeguard-ota-integration.md
+++ b/intune/device-updates/android/zebra-lifeguard-ota-integration.md
@@ -5,9 +5,6 @@ ms.date: 08/01/2024
ms.topic: how-to
ms.reviewer: jieyan
ms.subservice: suite
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Zebra LifeGuard Over-the-Air Integration with Microsoft Intune
diff --git a/intune/device-updates/apple/index.md b/intune/device-updates/apple/index.md
index 4dae5a444b..df97160a9e 100644
--- a/intune/device-updates/apple/index.md
+++ b/intune/device-updates/apple/index.md
@@ -4,9 +4,6 @@ description: Learn how to configure software update policies for Apple devices u
ms.date: 10/14/2025
ms.topic: how-to
ms.reviewer: beflamm
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Configure update policies for Apple devices
diff --git a/intune/device-updates/apple/reports.md b/intune/device-updates/apple/reports.md
index 92af49ef5d..63d6894f82 100644
--- a/intune/device-updates/apple/reports.md
+++ b/intune/device-updates/apple/reports.md
@@ -4,9 +4,6 @@ description: Track Apple device update status in real time with Intune's declara
ms.date: 10/14/2025
ms.topic: how-to
ms.reviewer: beflamm
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Software update reporting for Apple devices
diff --git a/intune/device-updates/apple/software-updates-guide-ios-ipados.md b/intune/device-updates/apple/software-updates-guide-ios-ipados.md
index c0408c7271..52484f0318 100644
--- a/intune/device-updates/apple/software-updates-guide-ios-ipados.md
+++ b/intune/device-updates/apple/software-updates-guide-ios-ipados.md
@@ -4,9 +4,6 @@ description: Guidance and advice for administrators that create and manage softw
ms.date: 07/24/2025
ms.topic: how-to
ms.reviewer: beflamm, ahamil, rogerso
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Software updates planning guide and scenarios for supervised iOS/iPadOS devices in Microsoft Intune
diff --git a/intune/device-updates/apple/software-updates-guide-macos.md b/intune/device-updates/apple/software-updates-guide-macos.md
index 03d2222ef7..d681fa0261 100644
--- a/intune/device-updates/apple/software-updates-guide-macos.md
+++ b/intune/device-updates/apple/software-updates-guide-macos.md
@@ -4,9 +4,6 @@ description: Guidance and advice for administrators that create and manage softw
ms.date: 07/23/2025
ms.topic: how-to
ms.reviewer: beflamm, ahamil, rogerso
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Software updates planning guide for managed macOS devices in Microsoft Intune
diff --git a/intune/device-updates/apple/software-updates-ios.md b/intune/device-updates/apple/software-updates-ios.md
index 0ef9b77df8..deb56f800f 100644
--- a/intune/device-updates/apple/software-updates-ios.md
+++ b/intune/device-updates/apple/software-updates-ios.md
@@ -4,9 +4,6 @@ description: Use Microsoft Intune to manage system updates for supervised iOS/iP
ms.date: 10/15/2025
ms.topic: how-to
ms.reviewer: annovich, beflamm
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Manage iOS/iPadOS software updates using MDM-based policies in Microsoft Intune
diff --git a/intune/device-updates/apple/software-updates-macos.md b/intune/device-updates/apple/software-updates-macos.md
index 6458f5238a..d2ab339dff 100644
--- a/intune/device-updates/apple/software-updates-macos.md
+++ b/intune/device-updates/apple/software-updates-macos.md
@@ -4,9 +4,6 @@ description: Use Microsoft Intune to manage system updates for supervised macOS
ms.date: 09/24/2025
ms.topic: how-to
ms.reviewer: beflamm
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Manage macOS software updates using MDM-based policies in Microsoft Intune
diff --git a/intune/device-updates/byod-software-updates-guide.md b/intune/device-updates/byod-software-updates-guide.md
index 2e0f67c2d6..08f31380dc 100644
--- a/intune/device-updates/byod-software-updates-guide.md
+++ b/intune/device-updates/byod-software-updates-guide.md
@@ -4,9 +4,6 @@ description: Guidance and advice for administrators that create and manage softw
ms.date: 04/07/2025
ms.topic: how-to
ms.reviewer: ahamil, talima, mandia
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Software updates planning guide for BYOD and personal devices in Microsoft Intune
diff --git a/intune/device-updates/windows/compatibility-reports.md b/intune/device-updates/windows/compatibility-reports.md
index ba0019ddc1..6cb44522a7 100644
--- a/intune/device-updates/windows/compatibility-reports.md
+++ b/intune/device-updates/windows/compatibility-reports.md
@@ -4,11 +4,6 @@ description: Use the app and driver compatibility reports for Windows devices be
ms.date: 11/27/2024
ms.topic: how-to
ms.reviewer: zadvor
-#ms.custom:
-ms.collection:
-- M365-identity-device-management
-- highseo
-- sub-updates
---
# App and driver compatibility reports for Windows updates
diff --git a/intune/device-updates/windows/configure.md b/intune/device-updates/windows/configure.md
index 3ecfb4eae5..74c0af1da1 100644
--- a/intune/device-updates/windows/configure.md
+++ b/intune/device-updates/windows/configure.md
@@ -4,10 +4,6 @@ description: Manage Windows software updates by using Intune policy for Update r
ms.date: 02/27/2025
ms.topic: overview
ms.reviewer: davidmeb; bryanke; davguy
-#ms.custom:
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Manage Windows software updates in Intune
diff --git a/intune/device-updates/windows/driver-updates-overview.md b/intune/device-updates/windows/driver-updates-overview.md
index 5c17a4582d..71ab3d5353 100644
--- a/intune/device-updates/windows/driver-updates-overview.md
+++ b/intune/device-updates/windows/driver-updates-overview.md
@@ -4,11 +4,6 @@ description: Learn about using Microsoft Intune policy to manage Windows driver
ms.date: 09/10/2024
ms.topic: how-to
ms.reviewer: davguy; davidmeb; bryanke
-#ms.custom:
-ms.collection:
-- M365-identity-device-management
-- ContentEnagagementFY24
-- sub-updates
---
# Windows Driver update management in Microsoft Intune
diff --git a/intune/device-updates/windows/driver-updates-policy.md b/intune/device-updates/windows/driver-updates-policy.md
index 2c92ebbe31..342fe096b6 100644
--- a/intune/device-updates/windows/driver-updates-policy.md
+++ b/intune/device-updates/windows/driver-updates-policy.md
@@ -4,11 +4,6 @@ description: Use Microsoft Intune to manage policies that install Windows driver
ms.date: 04/07/2025
ms.topic: how-to
ms.reviewer: davguy; davidmeb; bryanke
-#ms.custom:
-ms.collection:
-- M365-identity-device-management
-- ContentEnagagementFY24
-- sub-updates
---
# Manage policy for Windows Driver updates with Microsoft Intune
diff --git a/intune/device-updates/windows/expedite-updates.md b/intune/device-updates/windows/expedite-updates.md
index 4b106e7dbe..f8fcd1bdee 100644
--- a/intune/device-updates/windows/expedite-updates.md
+++ b/intune/device-updates/windows/expedite-updates.md
@@ -4,10 +4,6 @@ description: Use Microsoft Intune policy to expedite the installation of Windows
ms.date: 02/20/2025
ms.topic: how-to
ms.reviewer: davguy;bryanke
-#ms.custom:
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Expedite Windows quality updates in Microsoft Intune
diff --git a/intune/device-updates/windows/feature-updates.md b/intune/device-updates/windows/feature-updates.md
index 732d0c044a..5308d874dc 100644
--- a/intune/device-updates/windows/feature-updates.md
+++ b/intune/device-updates/windows/feature-updates.md
@@ -4,10 +4,6 @@ description: Create and manage Intune policy for Windows feature updates. Config
ms.date: 09/10/2024
ms.topic: how-to
ms.reviewer: davidmeb; bryanke; davguy
-#ms.custom:
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Feature updates for Windows 10 and later policy in Intune
diff --git a/intune/device-updates/windows/index.md b/intune/device-updates/windows/index.md
new file mode 100644
index 0000000000..9f3c496058
--- /dev/null
+++ b/intune/device-updates/windows/index.md
@@ -0,0 +1,92 @@
+---
+title: Manage Windows updates with Microsoft Intune
+description: Learn how Microsoft Intune helps you manage Windows updates for your organization.
+ms.date: 12/16/2025
+ms.topic: overview
+---
+
+# Manage Windows updates with Microsoft Intune
+
+Keeping Windows devices secure and up to date is one of the most important responsibilities for any organization. Microsoft Intune offers a modern, cloud‑based approach to managing Windows Update client policies so you can deliver updates with control, predictability, and minimal disruption to your users.
+This overview introduces how Intune manages Windows updates, the policy types you can use, and how these pieces fit together into a complete update strategy.
+
+How Intune manages Windows updates
+Intune integrates with Windows Update for Business to configure how and when Windows 10 and Windows 11 devices receive updates. Rather than downloading and approving individual patches (as you would in WSUS), Intune defines update behavior through policy. Devices then communicate directly with the Windows Update service to retrieve the correct updates.
+With Intune, you can manage:
+
+Quality updates (monthly cumulative security and reliability updates)
+Feature updates (annual Windows version releases)
+Driver and firmware updates
+Restart and deadline behavior
+Exceptional scenarios, such as urgent security patches
+
+All Windows updates flow from Microsoft's global update service; Intune provides the policy layer that governs timing, user experience, and safeguards.
+
+Core policy types
+Intune provides several policy types, each designed for a specific purpose. Understanding these helps you choose the right tool for each scenario.
+Update rings
+Update rings control the cadence and experience of updates, including:
+
+Deferral periods for quality and feature updates
+Deadlines and grace periods
+Restart behavior and active hours
+
+Use update rings to set your baseline update behavior and to create staged deployment groups (for example: Pilot → Broad).
+Feature updates policy
+Feature updates policies let you lock devices to a specific Windows version (for example, stay on 22H2) until you choose to upgrade.
+Use this when you want predictable OS version targeting, regardless of ring deferrals.
+Quality updates (expedite) policy
+Expedite policies push a specific quality update as soon as possible to remediate critical vulnerabilities. These settings override deferrals and deadlines in update rings.
+Use this only for urgent or zero‑day scenarios.
+Driver and firmware updates
+Intune can manage whether devices receive driver and firmware updates from Windows Update. You can choose to enable, disable, or selectively allow drivers depending on your device ecosystem.
+Windows Autopatch
+Windows Autopatch is a managed service that automates the update rollout process. Autopatch uses update rings behind the scenes, creates its own deployment groups, and orchestrates updates for you.
+Use Autopatch when you prefer Microsoft to manage update sequencing, validation, and rollout, instead of maintaining your own rings and schedules.
+Hotpatch
+Hotpatch is a servicing mechanism that delivers certain security updates without requiring a reboot. Intune does not configure hotpatch directly, but devices that support hotpatch continue to use Intune's update policies for timing and coordination.
+
+How the pieces fit together
+Intune's Windows update management is designed as a layered system, where each policy type handles a specific need:
+
+Update rings → set the baseline scheduling and user experience
+Feature updates → control the Windows version
+Expedite updates → override schedules for urgent patches
+Driver policies → manage hardware‑level updates
+Autopatch → optional automation layer that manages the above for you
+
+These policies are complementary. For example, you can assign update rings for routine monthly updates while using a feature updates policy to pin devices to 23H2 until you approve an upgrade.
+
+What you can do with Intune
+With Intune, organizations can:
+
+Standardize Windows update behavior across all devices
+Stage updates using rings or Autopatch deployment groups
+Control when devices move to a new Windows version
+Push emergency patches during high‑risk situations
+Reduce user disruption with controlled reboot experiences
+Monitor update compliance across the fleet
+Troubleshoot devices that fall behind or fail to apply updates
+
+Intune gives you the flexibility to adopt a simple, fully automated model or a highly controlled, staged approach — whichever fits your operational needs.
+
+Next steps
+Use the rest of the articles in this section to explore each policy type in more depth:
+
+Plan your update strategy
+Configure update rings
+Deploy feature update targeting
+Expedite critical updates
+Manage driver and firmware updates
+Use Windows Autopatch
+Understand hotpatching scenarios
+Monitor and troubleshoot update compliance
+
+
+| Feature | When using Autopatch | When NOT using Autopatch |
+|--------------------------|-------------------------------------------------------------------------------------------|-----------------------------------------------|
+| Update rings | Autopatch creates & manages its own rings; you shouldn't assign your own to these devices | You configure your own update rings in Intune |
+| Feature update policies | Autopatch manages version targeting | You use Intune's Feature updates policy |
+| Quality expedite updates | Autopatch handles emergency patching | You use "Expedite" policy |
+| Driver updates | Autopatch manages this | You can allow/deny via settings |
+| Update coordination | Autopatch orchestrates everything | You control scheduling & behavior |
\ No newline at end of file
diff --git a/intune/device-updates/windows/quality-updates-policy.md b/intune/device-updates/windows/quality-updates-policy.md
index 8e2ed4d3ae..5fe3b6a9ea 100644
--- a/intune/device-updates/windows/quality-updates-policy.md
+++ b/intune/device-updates/windows/quality-updates-policy.md
@@ -4,7 +4,6 @@ description: Use Hotpatch updates to receive security updates without restarting
ms.date: 04/17/2025
ms.reviewer: Mounika
ms.topic: how-to
-ms.collection:
---
# Windows quality update policy
diff --git a/intune/device-updates/windows/reports.md b/intune/device-updates/windows/reports.md
index dfb1fb8a82..9608efdcf6 100644
--- a/intune/device-updates/windows/reports.md
+++ b/intune/device-updates/windows/reports.md
@@ -4,11 +4,6 @@ description: Use Windows Update for Business reports to view data for Windows Up
ms.date: 03/04/2025
ms.topic: how-to
ms.reviewer: zadvor
-#ms.custom:
-ms.collection:
-- M365-identity-device-management
-- highseo
-- sub-updates
---
# Windows Update reports for Microsoft Intune
diff --git a/intune/device-updates/windows/rollout-options.md b/intune/device-updates/windows/rollout-options.md
index 575f7297d0..ef891c87aa 100644
--- a/intune/device-updates/windows/rollout-options.md
+++ b/intune/device-updates/windows/rollout-options.md
@@ -4,10 +4,6 @@ description: Configure schedules that manage how and when Windows updates roll o
ms.date: 04/07/2025
ms.topic: how-to
ms.reviewer: davguy; bryanke
-#ms.custom:
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Rollout options for Windows Updates in Microsoft Intune
diff --git a/intune/device-updates/windows/settings.md b/intune/device-updates/windows/settings.md
index e743ac10ee..13eae37ac1 100644
--- a/intune/device-updates/windows/settings.md
+++ b/intune/device-updates/windows/settings.md
@@ -4,10 +4,6 @@ description: View the settings for Windows Update that you can manage through In
ms.date: 07/15/2024
ms.topic: reference
ms.reviewer: davguy; bryanke
-#ms.custom:
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
diff --git a/intune/device-updates/windows/software-update-agent-error-codes.md b/intune/device-updates/windows/software-update-agent-error-codes.md
index 58d3bef6e7..6fe62ec361 100644
--- a/intune/device-updates/windows/software-update-agent-error-codes.md
+++ b/intune/device-updates/windows/software-update-agent-error-codes.md
@@ -5,9 +5,6 @@ ms.date: 05/29/2019
ms.topic: reference
ROBOTS:
ms.reviewer: mghadial
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Software update agent error codes and descriptions in Microsoft Intune
diff --git a/intune/device-updates/windows/toc.yml b/intune/device-updates/windows/toc.yml
index d5cc65b8dc..dce420a319 100644
--- a/intune/device-updates/windows/toc.yml
+++ b/intune/device-updates/windows/toc.yml
@@ -1,4 +1,7 @@
items:
+- name: overview
+ href: index.md
+ displayName: windows updates
- name: Use Windows Update client policies
href: configure.md
displayName: windows updates
diff --git a/intune/device-updates/windows/update-rings.md b/intune/device-updates/windows/update-rings.md
index d313f2ac74..f4cccc9fd0 100644
--- a/intune/device-updates/windows/update-rings.md
+++ b/intune/device-updates/windows/update-rings.md
@@ -4,10 +4,6 @@ description: Create and manage Intune policy for Windows update rings. You can c
ms.date: 04/18/2024
ms.topic: how-to
ms.reviewer: davguy; davidmeb; bryanke
-#ms.custom:
-ms.collection:
-- M365-identity-device-management
-- sub-updates
---
# Windows Update rings policy in Intune
diff --git a/intune/docfx.json b/intune/docfx.json
index 2fcfd91e75..c9d153c07c 100644
--- a/intune/docfx.json
+++ b/intune/docfx.json
@@ -161,6 +161,8 @@
"solutions/**/*.yml": "mandia"
},
"ms.collection": {
+ "intune-service/device-updates/**/*.md": ["M365-identity-device-management","sub-updates"],
+ "intune-service/device-updates/**/*.yml": ["M365-identity-device-management","sub-updates"],
"intune-service/remote-actions/**/*.md": ["M365-identity-device-management"],
"intune-service/remote-actions/**/*.yml": ["M365-identity-device-management"]
},
From 634a49f3aae51bb1b3958cd9458252d033206afa Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 17 Dec 2025 14:26:21 -0500
Subject: [PATCH 002/139] Updates
---
.../device-updates/windows/feature-updates.md | 142 +++++++++++-------
1 file changed, 84 insertions(+), 58 deletions(-)
diff --git a/intune/device-updates/windows/feature-updates.md b/intune/device-updates/windows/feature-updates.md
index 5308d874dc..7319620297 100644
--- a/intune/device-updates/windows/feature-updates.md
+++ b/intune/device-updates/windows/feature-updates.md
@@ -1,18 +1,23 @@
---
-title: Configure feature updates policy for Windows devices in Intune
-description: Create and manage Intune policy for Windows feature updates. Configure and deploy policy to maintain the Windows feature version of Windows devices you manage with Microsoft Intune.
+title: Windows feature update releases
+description: Learn about Windows feature update policy settings and how to create feature update releases in Microsoft Intune.
ms.date: 09/10/2024
ms.topic: how-to
ms.reviewer: davidmeb; bryanke; davguy
---
-# Feature updates for Windows 10 and later policy in Intune
+# Configure Windows feature updates releases
-With *Feature updates for Windows 10 and later* in Intune, you can select the Windows [feature update](/windows/deployment/update/get-started-updates-channels-tools#types-of-updates) version that you want devices to remain at. Intune supports setting a feature level to any version that remains in support at the time you create the policy.
+With Microsoft Intune, you can create and deploy policy settings that ensure your Windows devices remain on a specific Windows feature update version. These settings help you manage and control the feature set of Windows on your devices, providing stability and predictability for your organization's IT environment.
-You can also use feature updates policy to [upgrade devices that run Windows 10 to Windows 11](#upgrade-devices-to-windows-11).
+With these policies, you can:
-Windows feature updates policies work with your *Update rings for Windows 10 and later* policies to prevent a device from receiving a Windows feature version that's later than the value specified in the feature updates policy.
+- Select the Windows [feature update](/windows/deployment/update/get-started-updates-channels-tools#types-of-updates) version that you want devices to remain at. This option supports setting a feature level to any version that remains in support at the time you create the policy.
+- [Upgrade devices that run Windows 10 to Windows 11](#upgrade-devices-to-windows-11).
+
+Windows feature updates policies work with update rings policies to prevent a device from receiving a Windows feature version that's later than the value specified in the feature updates policy.
+
+## How feature updates work
When a device receives a policy for Feature updates:
@@ -26,71 +31,92 @@ When a device receives a policy for Feature updates:
> - [Windows 11 release information](/windows/release-health/windows11-release-information)
-- Unlike using *Pause* with an update ring, which expires after 35 days, the Feature updates policy remains in effect. Devices won't install a new Windows version until you modify or remove the Feature updates policy. If you edit the policy to specify a newer version, devices can then install the features from that Windows version.
-- The ability to *Uninstall* the Feature update is still honored by the Update Rings.
+- Unlike using the *Pause* option of an update ring, which expires after 35 days, the feature updates policy remains in effect. Devices won't install a new Windows version until you modify or remove the Feature updates policy. If you edit the policy to specify a newer version, devices can then install the features from that Windows version.
+- The ability to *Uninstall* the Feature update is still honored by the update rings.
- You can configure policy to manage the schedule by which Windows Update makes the offer available to devices. For more information, see [Rollout options for Windows Updates](rollout-options.md).
- When a Windows feature update is deployed to a device from the cloud service, the latest monthly quality update is automatically included.
## Prerequisites
-> [!IMPORTANT]
-> This feature isn't supported on GCC and GCC High/DoD cloud environments.
->
-> [Enable subscription activation with an existing EA](/windows/deployment/deploy-enterprise-licenses#enable-subscription-activation-with-an-existing-ea) isn't applicable to GCC and GCC High/DoD cloud environments for Windows Autopatch capabilities.
-
-The following are prerequisites for Intune's Feature updates for Windows 10 and later:
-
-- The core functionality of creating and targeting a feature update only requires a license for Intune. The core functionality includes creating the policy and selecting a feature update to update devices, using the **Make updates available as soon as possible** option or specifying a start date, and reporting. Capabilities supported by client policies on Professional SKU devices don't require a license.
-
-- Additional cloud-based functionality requires an additional license. To use a cloud-based capability, in addition to a license for Intune, your organization must have one of the following subscriptions that include a license for Windows Autopatch:
-
- - Windows Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
-
- - Windows Education A3 or A5 (included in Microsoft 365 A3 or A5)
-
- - Windows Virtual Desktop Access E3 or E5
-
- - Microsoft 365 Business Premium
+:::row:::
+:::column span="1":::
+[!INCLUDE [cloud](../includes/requirements/cloud.md)]
- The cloud-based capabilities requiring the additional license are indicated in the *Create feature update deployment* or policy creation page and include the following items and potentially new features:
+:::column-end:::
+:::column span="3":::
- - Gradual rollout: The [Gradual Rollout](rollout-options.md#make-updates-available-gradually) capability is a cloud only feature and includes basic controls for deploying a specified feature update and when to start making the update available to devices.
- - [Optional feature updates](#create-and-assign-feature-updates-for-windows-10-and-later-policy)
- - Windows 10 (SxS): The Windows 10 (SxS) feature is a cloud-only feature. If you're blocked when creating new policies for capabilities that require Windows Autopatch and you get your licenses to use Windows Update client policies through an Enterprise Agreement (EA), contact the source of your licenses such as your Microsoft account team or the partner who sold you the licenses. The account team or partner can confirm that your tenants licenses meet the Windows Autopatch license requirements. See [Enable subscription activation with an existing EA](/windows/deployment/deploy-enterprise-licenses#enable-subscription-activation-with-an-existing-ea).
-
-- Devices must:
- - Run a version of Windows that remains in support.
- - Be enrolled in Intune MDM and be Microsoft Entra hybrid joined or Microsoft Entra joined.
- - Have Telemetry turned on, with a minimum setting of [*Required*](../../intune-service/configuration/device-restrictions-windows-10.md#reporting-and-telemetry).
-
- Devices that receive a feature updates policy and that have Telemetry set to *Not configured* (off), might install a later version of Windows than defined in the feature updates policy.
-
- Configure Telemetry as part of a [Device Restriction policy](../../intune-service/configuration/device-restrictions-configure.md) for Windows. In the device restriction profile, under *Reporting and Telemetry*, configure the **Share usage data** with a minimum value of **Required**. Values of **Enhanced (1903 and earlier)** or **Optional** are also supported.
-
- - The *Microsoft Account Sign-In Assistant* (wlidsvc) must be able to run. If the service is blocked or set to *Disabled*, it fails to receive the update. For more information, see [Feature updates aren't being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). By default, the service is set to *Manual (Trigger Start)*, which allows it to run when needed.
+> - Public cloud
+>
+> > [!IMPORTANT]
+> >
+> > This feature isn't supported on Government Community Cloud (GCC) High and Department of Defense (DoD) cloud environments.
+> > [Enable subscription activation with an existing EA](/windows/deployment/deploy-enterprise-licenses#enable-subscription-activation-with-an-existing-ea) isn't applicable to GCC and GCC High/DoD cloud environments for Windows Autopatch capabilities.
- - Have access to endpoints. To get a detailed list of endpoints required for the associated services listed here, see [Network endpoints](../../intune-service/fundamentals/intune-endpoints.md#access-for-managed-devices).
- - [Windows Update](/windows/privacy/manage-windows-1809-endpoints#windows-update)
- - Windows Autopatch
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../includes/requirements/licensing.md)]
-- Enable [data collection](reports.md#configuring-for-client-data-reporting) in Intune for devices that you wish to deploy feature updates.
+:::column-end:::
+:::column span="3":::
-- Feature updates are supported for the following Windows editions:
- - Pro
- - Enterprise
- - Pro Education
- - Education
- - Pro for Workstations
+> The core functionality of creating and targeting a feature update only requires a license for Intune. The core functionality includes creating the policy and selecting a feature update to update devices, using the **Make updates available as soon as possible** option or specifying a start date, and reporting. Capabilities supported by client policies on Professional SKU devices don't require a license.
+>
+> Additional cloud-based functionality requires an additional license. To use a cloud-based capability, in addition to a license for Intune, your organization must have one of the following subscriptions that include a license for Windows Autopatch:
+> - Windows Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
+> - Windows Education A3 or A5 (included in Microsoft 365 A3 or A5)
+> - Windows Virtual Desktop Access E3 or E5
+> - Microsoft 365 Business Premium
+>
+> The cloud-based capabilities requiring the additional license are indicated in the *Create feature update deployment* > or policy creation page and include the following items and potentially new features:
+> - Gradual rollout: The [Gradual Rollout](rollout-options.md#make-updates-available-gradually) capability is a cloud > only feature and includes basic controls for deploying a specified feature update and when to start making the update > available to devices.
+> - [Optional feature updates](#create-and-assign-feature-updates-for-windows-10-and-later-policy)
+> - Windows 10 (SxS): The Windows 10 (SxS) feature is a cloud-only feature. If you're blocked when creating new policies > for capabilities that require Windows Autopatch and you get your licenses to use Windows Update client policies > through an Enterprise Agreement (EA), contact the source of your licenses such as your Microsoft account team or the > partner who sold you the licenses. The account team or partner can confirm that your tenants licenses meet the Windows > Autopatch license requirements. See [Enable subscription activation with an existing EA](/windows/deployment/deploy-enterprise-licenses#enable-subscription-activation-with-an-existing-ea).
+
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [device-configuration](../includes/requirements/device-configuration.md)]
+
+:::column-end:::
+:::column span="3":::
+> Feature update policies supports devices that are:
+> - Enrolled in Intune
+> - Microsoft Entra joined
+> - Microsoft Entra hybrid joined
+>
+> Devices must also meet the following requirements:
+> - Telemetry must be turned on, with a minimum setting of [*Required*](../../intune-service/configuration/device-restrictions-windows-10.md#reporting-and-telemetry).
+> Devices that receive a feature updates policy and that have Telemetry set to *Not configured* (off), might install a later version of Windows than defined in the feature updates policy.
+>
+> Configure Telemetry as part of a [Device Restriction policy](../../intune-service/configuration/device-restrictions-configure.md) for Windows. In the device restriction profile, under *Reporting and Telemetry*, configure the **Share usage data** with a minimum value of **Required**. Values of **Enhanced (1903 and earlier)** or **Optional** are also supported.
+> - The *Microsoft Account Sign-In Assistant* (wlidsvc) must be able to run. If the service is blocked or set to *Disabled*, it fails to receive the update. For more information, see [Feature updates aren't being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). By default, the service is set to *Manual (Trigger Start)*, which allows it to run when needed.
+> - Have access to endpoints. To get a detailed list of endpoints required for the associated services listed here, see [Network endpoints](../../intune-service/fundamentals/intune-endpoints.md#access-for-managed-devices).
+> - [Windows Update](/windows/privacy/manage-windows-1809-endpoints#windows-update)
+> - Windows Autopatch
+>
+> - Enable [data collection](reports.md#configuring-for-client-data-reporting) in Intune for devices that you wish to deploy feature updates.
+>
+> - Feature updates are supported for the following Windows editions:
+> - Pro
+> - Enterprise
+> - Pro Education
+> - Education
+> - Pro for Workstations
+>
+> > [!NOTE]
+> > **Unsupported versions and editions**:
+> > *Windows Enterprise LTSC*: Windows Update client policies does not support the *Long Term Service Channel* release. Plan to use alternative patching methods, like WSUS or Configuration Manager.
+:::column-end:::
+:::row-end:::
- > [!NOTE]
- > **Unsupported versions and editions**:
- > *Windows Enterprise LTSC*: Windows Update client policies does not support the *Long Term Service Channel* release. Plan to use alternative patching methods, like WSUS or Configuration Manager.
-### Limitations for Workplace Joined devices
+### Limitations for Microsoft Entra registered devices
-Intune policies for *Feature updates for Windows 10 and later* require the use of Windows Update client policies and [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview). Where Windows Update client policies supports WPJ devices, Windows Autopatch provides more capabilities that aren't supported for WPJ devices.
+Feature updates policies require the use of Windows Update client policies and [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview). Where Windows Update client policies supports Microsoft Entra registered devices, Windows Autopatch provides more capabilities that aren't supported by those devices.
-For more information about WPJ limitations for Intune Windows Update policies, see [Policy limitations for Workplace Joined devices](configure.md) in *Manage Windows 10 and Windows 11 software updates in Intune*.
+For more information about Microsoft Entra registered devices limitations for Windows Update policies, see [Policy limitations for Workplace Joined devices](configure.md).
## Limitations for Feature updates for Windows 10 and later policy
@@ -192,7 +218,7 @@ If you're already using Endpoint analytics, navigate to the [Work from anywhere
### Licensing for Windows 11 versions
-Windows 11 includes a new license agreement, which can be viewed at [https://www.microsoft.com/useterms/](https://www.microsoft.com/useterms/). This license agreement is automatically accepted by an organization that submits a policy to deploy Windows 11.
+Windows 11 includes a license agreement that can be viewed at [https://www.microsoft.com/useterms/](https://www.microsoft.com/useterms/). This license agreement is automatically accepted by an organization that submits a policy to deploy Windows 11.
When you configure a policy in the Microsoft Intune admin center to deploy any Windows 11 version, the Microsoft Intune admin center displays a notice to remind you that by submitting the policy you are accepting the Windows 11 License Agreement terms on behalf of the devices, and your device users. After submitting the feature updates policy, end users won't see or need to accept the license agreement, making the update process seamless.
From 67b43fb9745e8f211be1e9b8d1f9d80265f83673 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 17 Dec 2025 14:36:03 -0500
Subject: [PATCH 003/139] updates
---
intune/device-updates/windows/feature-updates.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/intune/device-updates/windows/feature-updates.md b/intune/device-updates/windows/feature-updates.md
index 7319620297..8339f80792 100644
--- a/intune/device-updates/windows/feature-updates.md
+++ b/intune/device-updates/windows/feature-updates.md
@@ -40,7 +40,7 @@ When a device receives a policy for Feature updates:
:::row:::
:::column span="1":::
-[!INCLUDE [cloud](../includes/requirements/cloud.md)]
+[!INCLUDE [cloud](../../includes/requirements/cloud.md)]
:::column-end:::
:::column span="3":::
@@ -54,7 +54,7 @@ When a device receives a policy for Feature updates:
:::row:::
:::column span="1":::
-[!INCLUDE [platform](../includes/requirements/licensing.md)]
+[!INCLUDE [platform](../../includes/requirements/licensing.md)]
:::column-end:::
:::column span="3":::
@@ -77,7 +77,7 @@ When a device receives a policy for Feature updates:
:::row:::
:::column span="1":::
-[!INCLUDE [device-configuration](../includes/requirements/device-configuration.md)]
+[!INCLUDE [device-configuration](../../includes/requirements/device-configuration.md)]
:::column-end:::
:::column span="3":::
From 25ec8397e9a8e280e399f09ea155e71ed9ca1311 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 17 Dec 2025 14:52:05 -0500
Subject: [PATCH 004/139] updates
---
.../windows/feature-updates-windows-10.md | 48 +++++++++++++++++++
.../device-updates/windows/feature-updates.md | 46 ++----------------
intune/device-updates/windows/toc.yml | 2 +
3 files changed, 54 insertions(+), 42 deletions(-)
create mode 100644 intune/device-updates/windows/feature-updates-windows-10.md
diff --git a/intune/device-updates/windows/feature-updates-windows-10.md b/intune/device-updates/windows/feature-updates-windows-10.md
new file mode 100644
index 0000000000..eebc024ff5
--- /dev/null
+++ b/intune/device-updates/windows/feature-updates-windows-10.md
@@ -0,0 +1,48 @@
+---
+title: Upgrade devices to Windows 11 using feature updates
+description: Learn how to upgrade Windows 10 devices to Windows 11 using feature updates in Microsoft Intune.
+ms.date: 09/10/2024
+ms.topic: how-to
+ms.reviewer:
+---
+
+# Upgrade devices to Windows 11 using feature updates
+
+You can use policy for *Feature updates for Windows 10 and later* to upgrade devices that run Windows 10 to Windows 11.
+
+When you use feature updates policy to deploy Windows 11, you can target the policy to Windows 10 devices that meet the Windows 11 minimum requirements to upgrade them to Windows 11. Devices that don't meet the requirements for Windows 11 won't install the update and remain at their current Windows 10 version.
+
+Another option is to select the checkbox **When a device isn't capable of running Windows 11, install the latest Windows 10 feature update**, then devices that don't meet the requirements for Windows 11 will get the latest Windows 10 feature update instead.
+
+However, if a Windows 10 device that can't run Windows 11 is targeted with a Windows 11 update, future Windows 10 updates won't be offered to that device automatically. In this case, remove the not eligible device from the Windows 11 policy and assign the device to a Windows 10 feature update policy. See [Update behavior when multiple policies target a device](#update-behavior-when-multiple-policies-target-a-device).
+
+## Prepare to upgrade to Windows 11
+
+The first step in preparing for a Windows 11 upgrade is to ensure your devices meet the [minimum system requirements for Windows 11](/windows/whats-new/windows-11-requirements#hardware-requirements).
+
+You can use [endpoint analytics](../../endpoint-analytics/index.md) to determine which of your devices meet the hardware requirements. If some of your devices don't meet all the requirements, you can see exactly which ones aren't met. To use Endpoint analytics, your devices must be managed by Intune, co-managed, or have the Configuration Manager client with tenant attach enabled.
+
+If you're already using Endpoint analytics, navigate to the [Work from anywhere report](../../endpoint-analytics/work-from-anywhere.md), and select the Windows score category in the middle to open a flyout with aggregate Windows 11 readiness information. For more granular details, go to the Windows tab at the top of the report. On the Windows tab, you'll see device-by-device readiness information.
+
+## Licensing for Windows 11 versions
+
+Windows 11 includes a license agreement that can be viewed at [https://www.microsoft.com/useterms/](https://www.microsoft.com/useterms/). This license agreement is automatically accepted by an organization that submits a policy to deploy Windows 11.
+
+When you configure a policy in the Microsoft Intune admin center to deploy any Windows 11 version, the Microsoft Intune admin center displays a notice to remind you that by submitting the policy you are accepting the Windows 11 License Agreement terms on behalf of the devices, and your device users. After submitting the feature updates policy, end users won't see or need to accept the license agreement, making the update process seamless.
+
+This license reminder appears each time you select a Windows 11 build, even if all your Windows devices already run Windows 11. This prompt is provided because Intune doesn't track which devices will receive the policy, and its possible new devices that run Windows 10 might later enroll and be targeted by the policy.
+
+For more information including general licensing details, see the [Windows 11 documentation](/windows/whats-new/windows-11).
+
+## Create policy for Windows 11
+
+To deploy Windows 11, you'll create and deploy a feature updates policy just as you might have done previously for a Windows 10 device. It's the [same process](#create-and-assign-feature-updates-for-windows-10-and-later-policy) though instead of selecting a Windows 10 version, you'll select a Windows 11 version from the *Feature update to deploy* dropdown list. The dropdown list displays both Windows 10 and Windows 11 version updates that are in support.
+
+Also, the admin can choose to deploy the latest Windows 10 update to devices that are not eligible for Windows 11. To enable this feature, the admin must select the checkbox **When a device isn't capable of running Windows 11, install the latest Windows 10 feature update** in the deployment policy. This capability is only available if you choose a Windows 11 version from the *Feature update to deploy* dropdown list, and if the tenant meets the [licensing requirements](#prerequisites) defined at the beginning of this document.
+
+With this capability, you do not need to create two different deployment policies or two different feature updates. With a single policy, you can get your Windows 10 devices that can't go to Windows 11 to upgrade to the latest Windows 10 version and all the devices that can go to Windows 11 to upgrade to a Windows 11 version that you choose.
+
+You cannot set the checkbox for an existing policy because changing the checkbox value ends the current deployment and starts two new deployments. To change your deployment settings, delete the current feature update policy and create a new policy with the checkbox selected.
+
+- Deploying an older Windows version to a device won't downgrade the device. Devices only install an update when it's newer than the devices current version.
+- Deploying a Windows 11 update to a Windows 10 device that supports Windows 11, [upgrades that device](#upgrade-devices-to-windows-11).
diff --git a/intune/device-updates/windows/feature-updates.md b/intune/device-updates/windows/feature-updates.md
index 8339f80792..8c4f1747fd 100644
--- a/intune/device-updates/windows/feature-updates.md
+++ b/intune/device-updates/windows/feature-updates.md
@@ -52,6 +52,10 @@ When a device receives a policy for Feature updates:
> > This feature isn't supported on Government Community Cloud (GCC) High and Department of Defense (DoD) cloud environments.
> > [Enable subscription activation with an existing EA](/windows/deployment/deploy-enterprise-licenses#enable-subscription-activation-with-an-existing-ea) isn't applicable to GCC and GCC High/DoD cloud environments for Windows Autopatch capabilities.
+:::column-end:::
+:::row-end:::
+
+
:::row:::
:::column span="1":::
[!INCLUDE [platform](../../includes/requirements/licensing.md)]
@@ -197,48 +201,6 @@ For more information about Microsoft Entra registered devices limitations for Wi
5. Under **Review + create**, review the settings. When ready to save the Feature updates policy, select **Create**.
-
-## Upgrade devices to Windows 11
-
-You can use policy for *Feature updates for Windows 10 and later* to upgrade devices that run Windows 10 to Windows 11.
-
-When you use feature updates policy to deploy Windows 11, you can target the policy to Windows 10 devices that meet the Windows 11 minimum requirements to upgrade them to Windows 11. Devices that don't meet the requirements for Windows 11 won't install the update and remain at their current Windows 10 version.
-
-Another option is to select the checkbox **When a device isn't capable of running Windows 11, install the latest Windows 10 feature update**, then devices that don't meet the requirements for Windows 11 will get the latest Windows 10 feature update instead.
-
-However, if a Windows 10 device that can't run Windows 11 is targeted with a Windows 11 update, future Windows 10 updates won't be offered to that device automatically. In this case, remove the not eligible device from the Windows 11 policy and assign the device to a Windows 10 feature update policy. See [Update behavior when multiple policies target a device](#update-behavior-when-multiple-policies-target-a-device).
-
-### Prepare to upgrade to Windows 11
-
-The first step in preparing for a Windows 11 upgrade is to ensure your devices meet the [minimum system requirements for Windows 11](/windows/whats-new/windows-11-requirements#hardware-requirements).
-
-You can use [endpoint analytics](../../endpoint-analytics/index.md) to determine which of your devices meet the hardware requirements. If some of your devices don't meet all the requirements, you can see exactly which ones aren't met. To use Endpoint analytics, your devices must be managed by Intune, co-managed, or have the Configuration Manager client with tenant attach enabled.
-
-If you're already using Endpoint analytics, navigate to the [Work from anywhere report](../../endpoint-analytics/work-from-anywhere.md), and select the Windows score category in the middle to open a flyout with aggregate Windows 11 readiness information. For more granular details, go to the Windows tab at the top of the report. On the Windows tab, you'll see device-by-device readiness information.
-
-### Licensing for Windows 11 versions
-
-Windows 11 includes a license agreement that can be viewed at [https://www.microsoft.com/useterms/](https://www.microsoft.com/useterms/). This license agreement is automatically accepted by an organization that submits a policy to deploy Windows 11.
-
-When you configure a policy in the Microsoft Intune admin center to deploy any Windows 11 version, the Microsoft Intune admin center displays a notice to remind you that by submitting the policy you are accepting the Windows 11 License Agreement terms on behalf of the devices, and your device users. After submitting the feature updates policy, end users won't see or need to accept the license agreement, making the update process seamless.
-
-This license reminder appears each time you select a Windows 11 build, even if all your Windows devices already run Windows 11. This prompt is provided because Intune doesn't track which devices will receive the policy, and its possible new devices that run Windows 10 might later enroll and be targeted by the policy.
-
-For more information including general licensing details, see the [Windows 11 documentation](/windows/whats-new/windows-11).
-
-### Create policy for Windows 11
-
-To deploy Windows 11, you'll create and deploy a feature updates policy just as you might have done previously for a Windows 10 device. It's the [same process](#create-and-assign-feature-updates-for-windows-10-and-later-policy) though instead of selecting a Windows 10 version, you'll select a Windows 11 version from the *Feature update to deploy* dropdown list. The dropdown list displays both Windows 10 and Windows 11 version updates that are in support.
-
-Also, the admin can choose to deploy the latest Windows 10 update to devices that are not eligible for Windows 11. To enable this feature, the admin must select the checkbox **When a device isn't capable of running Windows 11, install the latest Windows 10 feature update** in the deployment policy. This capability is only available if you choose a Windows 11 version from the *Feature update to deploy* dropdown list, and if the tenant meets the [licensing requirements](#prerequisites) defined at the beginning of this document.
-
-With this capability, you do not need to create two different deployment policies or two different feature updates. With a single policy, you can get your Windows 10 devices that can't go to Windows 11 to upgrade to the latest Windows 10 version and all the devices that can go to Windows 11 to upgrade to a Windows 11 version that you choose.
-
-You cannot set the checkbox for an existing policy because changing the checkbox value ends the current deployment and starts two new deployments. To change your deployment settings, delete the current feature update policy and create a new policy with the checkbox selected.
-
-- Deploying an older Windows version to a device won't downgrade the device. Devices only install an update when it's newer than the devices current version.
-- Deploying a Windows 11 update to a Windows 10 device that supports Windows 11, [upgrades that device](#upgrade-devices-to-windows-11).
-
## Update behavior when multiple policies target a device
Consider the following points when feature update policies target a device with more than one update policy, or target a Windows 10 device with an update for Windows 11:
diff --git a/intune/device-updates/windows/toc.yml b/intune/device-updates/windows/toc.yml
index dce420a319..773f99d98d 100644
--- a/intune/device-updates/windows/toc.yml
+++ b/intune/device-updates/windows/toc.yml
@@ -11,6 +11,8 @@ items:
- name: Feature updates policy
href: feature-updates.md
displayName: windows feature updates
+- name: Upgrade Windows 10 devices
+ href: feature-updates-windows-10.md
- name: Windows quality updates policy
href: quality-updates-policy.md
displayName: windows quality updates
From 49f62eabbb145185a1ec8c98bb83a39fb69ccbe2 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 17 Dec 2025 15:12:53 -0500
Subject: [PATCH 005/139] toc restructure
---
intune/device-updates/windows/toc.yml | 46 ++++++++++++++++-----------
1 file changed, 27 insertions(+), 19 deletions(-)
diff --git a/intune/device-updates/windows/toc.yml b/intune/device-updates/windows/toc.yml
index 773f99d98d..a6b8657f5e 100644
--- a/intune/device-updates/windows/toc.yml
+++ b/intune/device-updates/windows/toc.yml
@@ -1,5 +1,5 @@
items:
-- name: overview
+- name: Overview
href: index.md
displayName: windows updates
- name: Use Windows Update client policies
@@ -8,18 +8,24 @@ items:
- name: Update rings policy
href: update-rings.md
displayName: windows updates, rings
-- name: Feature updates policy
- href: feature-updates.md
- displayName: windows feature updates
-- name: Upgrade Windows 10 devices
- href: feature-updates-windows-10.md
-- name: Windows quality updates policy
- href: quality-updates-policy.md
- displayName: windows quality updates
-- name: Expedite updates policy
- href: expedite-updates.md
- displayName: windows updates
-- name: Windows driver updates
+- name: Feature updates
+ items:
+ - name: Feature updates policy
+ href: feature-updates.md
+ displayName: windows feature updates
+ - name: Upgrade Windows 10 devices
+ href: feature-updates-windows-10.md
+- name: Quality updates
+ items:
+ - name: Quality updates policy
+ href: quality-updates-policy.md
+ displayName: windows quality updates
+- name: Expedite updates
+ items:
+ - name: Expedite updates policy
+ href: expedite-updates.md
+ displayName: windows updates
+- name: Driver updates
items:
- name: Driver updates overview
href: driver-updates-overview.md
@@ -30,12 +36,14 @@ items:
- name: Windows rollout options
href: rollout-options.md
displayName: windows updates
-- name: Windows Update compatibility reports
- href: compatibility-reports.md
- displayName: windows updates, reports
-- name: Windows Update reports
- href: reports.md
- displayName: windows updates, reports
+- name: Windows updates reporting
+ items:
+ - name: Windows update reports
+ href: reports.md
+ displayName: windows updates, reports
+ - name: Compatibility reports
+ href: compatibility-reports.md
+ displayName: windows updates, reports
- name: Delivery Optimization
href: ../../intune-service/configuration/delivery-optimization-windows.md
displayName: delivery optimization, windows updates
\ No newline at end of file
From 1a35da73f753b85d0ed5c9182d3bb629755222e5 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 17 Dec 2025 15:20:15 -0500
Subject: [PATCH 006/139] updates
---
intune/device-updates/windows/rollout-options.md | 3 ++-
intune/device-updates/windows/toc.yml | 6 +++---
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/intune/device-updates/windows/rollout-options.md b/intune/device-updates/windows/rollout-options.md
index ef891c87aa..cfe7cf8b8d 100644
--- a/intune/device-updates/windows/rollout-options.md
+++ b/intune/device-updates/windows/rollout-options.md
@@ -19,7 +19,7 @@ You configure rollout options when creating [Feature Updates policy](feature-upd
- **Make update available on a specific date** - With this option you can select a day on which the update in the policy is initially available to install. Windows Update doesn't make the update available to devices with this configuration until that day is reached.
-
+
## Intelligent rollouts
diff --git a/intune/device-updates/windows/toc.yml b/intune/device-updates/windows/toc.yml
index a6b8657f5e..b260703316 100644
--- a/intune/device-updates/windows/toc.yml
+++ b/intune/device-updates/windows/toc.yml
@@ -13,6 +13,9 @@ items:
- name: Feature updates policy
href: feature-updates.md
displayName: windows feature updates
+ - name: Windows rollout options
+ href: rollout-options.md
+ displayName: windows updates
- name: Upgrade Windows 10 devices
href: feature-updates-windows-10.md
- name: Quality updates
@@ -33,9 +36,6 @@ items:
- name: Driver updates policy
href: driver-updates-policy.md
displayName: windows updates, drivers
-- name: Windows rollout options
- href: rollout-options.md
- displayName: windows updates
- name: Windows updates reporting
items:
- name: Windows update reports
From 3f757fb4328b827a5215a257b45b0407d25e33d8 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 17 Dec 2025 16:17:26 -0500
Subject: [PATCH 007/139] content split
---
.../device-updates/windows/feature-updates.md | 29 ++++---
intune/device-updates/windows/toc.yml | 8 +-
intune/device-updates/windows/update-rings.md | 83 ++++++++++---------
3 files changed, 66 insertions(+), 54 deletions(-)
diff --git a/intune/device-updates/windows/feature-updates.md b/intune/device-updates/windows/feature-updates.md
index 8c4f1747fd..6e98f6c87c 100644
--- a/intune/device-updates/windows/feature-updates.md
+++ b/intune/device-updates/windows/feature-updates.md
@@ -79,6 +79,24 @@ When a device receives a policy for Feature updates:
:::column-end:::
:::row-end:::
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
+> The configuration of feature update releases supports the following Windows editions:
+> - Pro
+> - Pro Education
+> - Enterprise
+> - Education
+>
+> > [!IMPORTANT]
+> > *Windows Enterprise LTSC*: Windows Update client policies doesn'o't support the *Long Term Service Channel* release. Plan to use alternative patching methods, like WSUS or Configuration Manager.
+:::column-end:::
+:::row-end:::
+
+
:::row:::
:::column span="1":::
[!INCLUDE [device-configuration](../../includes/requirements/device-configuration.md)]
@@ -101,17 +119,6 @@ When a device receives a policy for Feature updates:
> - Windows Autopatch
>
> - Enable [data collection](reports.md#configuring-for-client-data-reporting) in Intune for devices that you wish to deploy feature updates.
->
-> - Feature updates are supported for the following Windows editions:
-> - Pro
-> - Enterprise
-> - Pro Education
-> - Education
-> - Pro for Workstations
->
-> > [!NOTE]
-> > **Unsupported versions and editions**:
-> > *Windows Enterprise LTSC*: Windows Update client policies does not support the *Long Term Service Channel* release. Plan to use alternative patching methods, like WSUS or Configuration Manager.
:::column-end:::
:::row-end:::
diff --git a/intune/device-updates/windows/toc.yml b/intune/device-updates/windows/toc.yml
index b260703316..49abce0a17 100644
--- a/intune/device-updates/windows/toc.yml
+++ b/intune/device-updates/windows/toc.yml
@@ -5,9 +5,11 @@ items:
- name: Use Windows Update client policies
href: configure.md
displayName: windows updates
-- name: Update rings policy
- href: update-rings.md
- displayName: windows updates, rings
+- name: Windows updates rings
+ items:
+ - name: Update rings policy
+ href: update-rings.md
+ displayName: windows updates, rings
- name: Feature updates
items:
- name: Feature updates policy
diff --git a/intune/device-updates/windows/update-rings.md b/intune/device-updates/windows/update-rings.md
index f4cccc9fd0..0c0997a4d6 100644
--- a/intune/device-updates/windows/update-rings.md
+++ b/intune/device-updates/windows/update-rings.md
@@ -1,12 +1,12 @@
---
-title: Configure Windows Update rings policy in Intune
+title: Configure Windows Update rings policy
description: Create and manage Intune policy for Windows update rings. You can configure, deploy, and pause update installation with Windows Update client policies using Microsoft Intune.
ms.date: 04/18/2024
ms.topic: how-to
ms.reviewer: davguy; davidmeb; bryanke
---
-# Windows Update rings policy in Intune
+# Windows Update rings policy
Create update rings that specify how and when Windows as a Service updates your Windows devices with [*feature* and *quality* updates](/windows/deployment/update/get-started-updates-channels-tools#types-of-updates). With Windows, new feature and quality updates include the contents of all previous updates. As long as you've installed the latest update, you know your Windows devices are up to date. Unlike with previous versions of Windows, you now must install the entire update instead of part of an update.
@@ -24,31 +24,38 @@ The following prerequisites must be met to use Windows Update Rings for Windows
> [!NOTE]
> Although not required to configure Windows Update client policies, if the Microsoft Account Sign-In Assistant (wlidsvc) service is disabled, Windows Update doesn't offer feature updates. For more information, see [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
-- Devices must be one of the following supported Windows editions:
-
- - Windows Pro
- - Windows Enterprise
- - Windows IoT Enterprise
- - Windows Education
- - Windows Team - for Surface Hub devices
- - Windows Holographic for Business - Windows Holographic for Business supports a subset of settings for Windows updates, including:
- - **Automatic update behavior**
- - **Microsoft product updates**
- - **Servicing channel**: Any update build that is generally available.
-
- For more information, see [Manage Windows Holographic](../../intune-service/fundamentals/windows-holographic-for-business.md).
-
- - Windows Enterprise LTSC and IoT Enterprise LTSC- LTSC is supported for Quality updates, but not for Feature updates. As a result, the following ring controls aren't supported for LTSC:
- - [Pause](update-rings.md#pause) of *Feature* updates
- - [Feature Update Deferral period (days)](settings.md#update-settings)
- - [Set feature update uninstall period (2 - 60 days)](settings.md#update-settings)
- - [Enable pre-release builds](settings.md#update-settings), which includes the following build options:
- - Windows Insider – Release Preview
- - Beta Channel
- - Dev Channel
- - [Use deadline settings](settings.md#user-experience-settings) for *Feature* updates.
-
-### Limitations for Workplace Joined devices
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../includes/requirements/platform.md)]
+
+:::column-end:::
+:::column span="3":::
+> Windows update ring policies support the following Windows editions:
+> - Pro
+> - Pro Education
+> - Enterprise
+> - Education
+> - Windows IoT Enterprise
+> - Windows Team - for Surface Hub devices
+> - Windows Holographic for Business - Windows Holographic for Business supports a subset of settings for Windows updates, including:
+> - **Automatic update behavior**
+> - **Microsoft product updates**
+> - **Servicing channel**: Any update build that is generally available.
+> For more information, see [Manage Windows Holographic](../../intune-service/fundamentals/windows-holographic-for-business.md).
+>
+> Windows Enterprise LTSC and IoT Enterprise LTSC- LTSC is supported for Quality updates, but not for Feature updates. As a result, the following ring controls aren't supported for LTSC:
+> - [Pause](update-rings.md#pause) of *Feature* updates
+> - [Feature Update Deferral period (days)](settings.md#update-settings)
+> - [Set feature update uninstall period (2 - 60 days)](settings.md#update-settings)
+> - [Enable pre-release builds](settings.md#update-settings), which includes the following build options:
+> - Windows Insider Release Preview
+> - Beta Channel
+> - Dev Channel
+> - [Use deadline settings](settings.md#user-experience-settings) for *Feature* updates.
+:::column-end:::
+:::row-end:::
+
+### Limitations for Microsoft Entra registered devices
Intune Update rings for Windows require the use of Windows Update client policies, which supports devices that are Workplace Joined (WPJ). However, the following Intune Windows Update policy types use Windows Update client policies and [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview), which provides for additional capabilities that are not supported for WPJ devices.
@@ -56,20 +63,16 @@ Intune Update rings for Windows require the use of Windows Update client policie
- Feature updates
- Quality updates (also known as *Expedited* updates)
-For more information about WPJ limitations for Intune Windows Update policies, see [Policy limitations for Workplace Joined devices](configure.md).
+For more information about Microsoft Entra registered devices limitations for Windows Update policies, see [Policy limitations for Workplace Joined devices](configure.md).
## Create and assign update rings
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Select **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows 10 and later updates** > **Update rings** tab > **Create profile**.
-
-3. Under *Basics*, specify a name, a description (optional), and then select **Next**.
+1. Select **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows 10 and later updates** > **Update rings** tab > **Create profile**.
+1. Under *Basics*, specify a name, a description (optional), and then select **Next**.

-
-4. Under **Update ring settings**, configure settings for your business needs. For information about the available settings, see [Windows update settings](settings.md). After configuring *Update and User experience* settings, select **Next**.
-
-5. Under **Scope tags**, select **+ Select scope tags** to open the *Select tags* pane if you want to apply them to the update ring. Choose one or more tags, and then click **Select** to add them to the update ring and return to the *Scope tag*s page.
+1. Under **Update ring settings**, configure settings for your business needs. For information about the available settings, see [Windows update settings](settings.md). After configuring *Update and User experience* settings, select **Next**.
+1. Under **Scope tags**, select **+ Select scope tags** to open the *Select tags* pane if you want to apply them to the update ring. Choose one or more tags, and then click **Select** to add them to the update ring and return to the *Scope tag*s page.
When ready, select **Next** to continue to *Assignments*.
@@ -77,11 +80,11 @@ For more information about WPJ limitations for Intune Windows Update policies, s
> When configuring or editing Intune policies, some policy types might not display the Scope Tags configuration page if there are no custom defined scope tags for the tenant.
> If you don't see the Scope Tag option, ensure that at least one tag in addition to the default scope tag has been defined.
-6. Under **Assignments**, choose **+ Select groups to include** and then assign the update ring to one or more groups. Use **+ Select groups to exclude** to fine-tune the assignment. Select **Next** to continue.
+1. Under **Assignments**, choose **+ Select groups to include** and then assign the update ring to one or more groups. Use **+ Select groups to exclude** to fine-tune the assignment. Select **Next** to continue.
In most cases, we recommend deploying update rings to device groups. Use of device groups aligns to our guidance for deploying [feature updates](feature-updates.md) and removes the need for a user to sign-on to a device before the policy can apply.
-7. Under **Review + create**, review the settings, and then select **Create** when ready to save your Windows update ring. Your new update ring is displayed in the list of update rings.
+1. Under **Review + create**, review the settings, and then select **Create** when ready to save your Windows update ring. Your new update ring is displayed in the list of update rings.
## Manage your Windows Update rings
@@ -136,8 +139,8 @@ If you resume a paused update ring, and then pause that ring again, the pause pe
##### To pause a ring
1. While viewing the overview page for an Update Ring, select **Pause**.
-2. Select either **Feature** or **Quality** to pause that type of update, and then select **OK**.
-3. After pausing one update type, you can select Pause again to pause the other update type.
+1. Select either **Feature** or **Quality** to pause that type of update, and then select **OK**.
+1. After pausing one update type, you can select Pause again to pause the other update type.
When an update type is paused, the Overview pane for that ring displays how many days remain before that update type resumes.
From b6debe4162122bbab5ef3725f95256e689470fa0 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 17 Dec 2025 16:24:35 -0500
Subject: [PATCH 008/139] updates
---
intune/device-updates/windows/update-rings.md | 50 +++++++++----------
1 file changed, 23 insertions(+), 27 deletions(-)
diff --git a/intune/device-updates/windows/update-rings.md b/intune/device-updates/windows/update-rings.md
index 0c0997a4d6..75a49387ba 100644
--- a/intune/device-updates/windows/update-rings.md
+++ b/intune/device-updates/windows/update-rings.md
@@ -94,13 +94,7 @@ In the portal, navigate to **Devices** > **By platform** > **Windows** > **Manag
This view includes:
-- **Policy actions**: Use the following options near the top of the policy view to manage the update ring policy:
-
-- [Delete](#delete)
-- [Pause](#pause)
-- [Resume](#resume)
-- [Extend](#extend)
-- [Uninstall](#uninstall)
+- **Policy actions**: use the available actions to manage the selected update ring policy. For more information about each action, see the [Policy actions](#policy-actions) section.
:::image type="content" source="./images/update-rings/overview-actions.png" alt-text="Available actions.":::
@@ -120,23 +114,25 @@ This view also includes:
- **Properties**: View details for each configuration page of the policy, including an option to **Edit** each area of the policy.
### Policy actions
-#### Delete
+
+Select a tab to learn more about its purpose and available options.
+
+# [**Delete**](#tab/delete)
Select **Delete** to stop enforcing the settings of the selected Windows update ring. Deleting a ring removes its configuration from Intune so that Intune no longer applies and enforces those settings.
Deleting a ring from Intune doesn't modify the settings on devices that were assigned the update ring. Instead, the device keeps its current settings. Devices don't maintain a historical record of what settings they held previously. Devices can also receive settings from other update rings that remain active.
-##### To delete a ring
+To delete a ring:
1. While viewing the overview page for an Update Ring, select **Delete**.
-2. Select **OK**.
-
-#### Pause
+1. Select **OK**.
+# [**Pause**](#tab/pause)
Select **Pause** to prevent assigned devices from receiving feature or quality updates for up to 35 days from the time you pause the ring. After the maximum days have passed, pause functionality automatically expires and the device scans Windows Updates for applicable updates. Following this scan, you can pause the updates again.
If you resume a paused update ring, and then pause that ring again, the pause period resets to 35 days.
-##### To pause a ring
+To pause a ring:
1. While viewing the overview page for an Update Ring, select **Pause**.
1. Select either **Feature** or **Quality** to pause that type of update, and then select **OK**.
@@ -147,27 +143,25 @@ When an update type is paused, the Overview pane for that ring displays how many
> [!IMPORTANT]
> After you issue a pause command, devices receive this command the next time they check into the service. It's possible that before they check in, they might install a scheduled update. Additionally, if a targeted device is turned off when you issue the pause command, when you turn it on, it might download and install scheduled updates before it checks in with Intune.
-#### Resume
-
+# [**Resume**](#tab/resume)
While an update ring is paused, you can select **Resume** to restore feature and quality updates for that ring to active operation. After you resume an update ring, you can pause that ring again.
-##### To resume a ring
+To resume a ring:
1. While viewing the overview page for a paused Update Ring, select **Resume**.
-2. Select from the available options to resume either **Feature** or **Quality** updates, and then select **OK**.
-3. After resuming one update type, you can select Resume again to resume the other update type.
-
-#### Extend
+1. Select from the available options to resume either **Feature** or **Quality** updates, and then select **OK**.
+1. After resuming one update type, you can select Resume again to resume the other update type.
+# [**Extend**](#tab/extend)
While an update ring is paused, you can select **Extend** to reset the pause period for both feature and quality updates for that update ring to 35 days.
-##### To Extend the pause period for a ring
+To Extend the pause period for a ring:
1. While viewing the overview page for a paused Update Ring, select **Extend**.
-2. Select from the available options to resume either **Feature** or **Quality** updates, and then select **OK**.
-3. After extending the pause for one update type, you can select Extend again to extend the other update type.
+1. Select from the available options to resume either **Feature** or **Quality** updates, and then select **OK**.
+1. After extending the pause for one update type, you can select Extend again to extend the other update type.
-#### Uninstall
+# [**Uninstall**](#tab/uninstall)
An Intune administrator can use **Uninstall** to uninstall (roll back) the latest *feature* update or the latest *quality* update for an active or paused update ring. After uninstalling one type, you can then uninstall the other type. Intune doesn't support or manage the ability of users to uninstall updates.
@@ -201,11 +195,13 @@ Consider the following when you use Uninstall:
For more information about Windows Update policies, see [Update CSP](/windows/client-management/mdm/update-csp) in the Windows client management documentation.
-##### To uninstall the latest Windows update
+To uninstall the latest Windows update:
1. While viewing the overview page for a paused Update Ring, select **Uninstall**.
-2. Select from the available options to uninstall either **Feature** or **Quality** updates, and then select **OK**.
-3. After you trigger the uninstall for one update type, you can select Uninstall again to uninstall the remaining update type.
+1. Select from the available options to uninstall either **Feature** or **Quality** updates, and then select **OK**.
+1. After you trigger the uninstall for one update type, you can select Uninstall again to uninstall the remaining update type.
+---
+
## Validation and reporting
From 07f6aff932f46936283e2bca7a72d769a5eed13a Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 17 Dec 2025 16:28:07 -0500
Subject: [PATCH 009/139] updates
---
intune/device-updates/windows/feature-updates.md | 2 +-
intune/device-updates/windows/update-rings.md | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/intune/device-updates/windows/feature-updates.md b/intune/device-updates/windows/feature-updates.md
index 6e98f6c87c..aa73fc9c59 100644
--- a/intune/device-updates/windows/feature-updates.md
+++ b/intune/device-updates/windows/feature-updates.md
@@ -81,7 +81,7 @@ When a device receives a policy for Feature updates:
:::row:::
:::column span="1":::
-[!INCLUDE [platform](../includes/requirements/platform.md)]
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
:::column-end:::
:::column span="3":::
diff --git a/intune/device-updates/windows/update-rings.md b/intune/device-updates/windows/update-rings.md
index 75a49387ba..140b1a7216 100644
--- a/intune/device-updates/windows/update-rings.md
+++ b/intune/device-updates/windows/update-rings.md
@@ -26,7 +26,7 @@ The following prerequisites must be met to use Windows Update Rings for Windows
:::row:::
:::column span="1":::
-[!INCLUDE [platform](../includes/requirements/platform.md)]
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
:::column-end:::
:::column span="3":::
From 71e00d11dfb38b4a3749e66e920ac46cc9839e0e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 17 Dec 2025 16:44:17 -0500
Subject: [PATCH 010/139] updates
---
intune/device-updates/windows/icons/delete.svg | 3 +++
intune/device-updates/windows/icons/extend.svg | 10 ++++++++++
intune/device-updates/windows/icons/pause.svg | 3 +++
intune/device-updates/windows/icons/resume.svg | 3 +++
intune/device-updates/windows/icons/uninstall.svg | 3 +++
intune/device-updates/windows/update-rings.md | 10 +++++-----
6 files changed, 27 insertions(+), 5 deletions(-)
create mode 100644 intune/device-updates/windows/icons/delete.svg
create mode 100644 intune/device-updates/windows/icons/extend.svg
create mode 100644 intune/device-updates/windows/icons/pause.svg
create mode 100644 intune/device-updates/windows/icons/resume.svg
create mode 100644 intune/device-updates/windows/icons/uninstall.svg
diff --git a/intune/device-updates/windows/icons/delete.svg b/intune/device-updates/windows/icons/delete.svg
new file mode 100644
index 0000000000..130e71d5f2
--- /dev/null
+++ b/intune/device-updates/windows/icons/delete.svg
@@ -0,0 +1,3 @@
+
diff --git a/intune/device-updates/windows/icons/extend.svg b/intune/device-updates/windows/icons/extend.svg
new file mode 100644
index 0000000000..ef9627c5b7
--- /dev/null
+++ b/intune/device-updates/windows/icons/extend.svg
@@ -0,0 +1,10 @@
+
diff --git a/intune/device-updates/windows/icons/pause.svg b/intune/device-updates/windows/icons/pause.svg
new file mode 100644
index 0000000000..eb49c1dcbb
--- /dev/null
+++ b/intune/device-updates/windows/icons/pause.svg
@@ -0,0 +1,3 @@
+
diff --git a/intune/device-updates/windows/icons/resume.svg b/intune/device-updates/windows/icons/resume.svg
new file mode 100644
index 0000000000..3464243804
--- /dev/null
+++ b/intune/device-updates/windows/icons/resume.svg
@@ -0,0 +1,3 @@
+
diff --git a/intune/device-updates/windows/icons/uninstall.svg b/intune/device-updates/windows/icons/uninstall.svg
new file mode 100644
index 0000000000..fdaa1833c4
--- /dev/null
+++ b/intune/device-updates/windows/icons/uninstall.svg
@@ -0,0 +1,3 @@
+
diff --git a/intune/device-updates/windows/update-rings.md b/intune/device-updates/windows/update-rings.md
index 140b1a7216..2baed714aa 100644
--- a/intune/device-updates/windows/update-rings.md
+++ b/intune/device-updates/windows/update-rings.md
@@ -117,7 +117,7 @@ This view also includes:
Select a tab to learn more about its purpose and available options.
-# [**Delete**](#tab/delete)
+# :::image type="icon" source="icons/delete.svg" border="false"::: [**Delete**](#tab/delete)
Select **Delete** to stop enforcing the settings of the selected Windows update ring. Deleting a ring removes its configuration from Intune so that Intune no longer applies and enforces those settings.
@@ -128,7 +128,7 @@ To delete a ring:
1. While viewing the overview page for an Update Ring, select **Delete**.
1. Select **OK**.
-# [**Pause**](#tab/pause)
+# :::image type="icon" source="icons/pause.svg" border="false"::: [**Pause**](#tab/pause)
Select **Pause** to prevent assigned devices from receiving feature or quality updates for up to 35 days from the time you pause the ring. After the maximum days have passed, pause functionality automatically expires and the device scans Windows Updates for applicable updates. Following this scan, you can pause the updates again.
If you resume a paused update ring, and then pause that ring again, the pause period resets to 35 days.
@@ -143,7 +143,7 @@ When an update type is paused, the Overview pane for that ring displays how many
> [!IMPORTANT]
> After you issue a pause command, devices receive this command the next time they check into the service. It's possible that before they check in, they might install a scheduled update. Additionally, if a targeted device is turned off when you issue the pause command, when you turn it on, it might download and install scheduled updates before it checks in with Intune.
-# [**Resume**](#tab/resume)
+# :::image type="icon" source="icons/resume.svg" border="false"::: [**Resume**](#tab/resume)
While an update ring is paused, you can select **Resume** to restore feature and quality updates for that ring to active operation. After you resume an update ring, you can pause that ring again.
To resume a ring:
@@ -152,7 +152,7 @@ To resume a ring:
1. Select from the available options to resume either **Feature** or **Quality** updates, and then select **OK**.
1. After resuming one update type, you can select Resume again to resume the other update type.
-# [**Extend**](#tab/extend)
+# :::image type="icon" source="icons/extend.svg" border="false"::: [**Extend**](#tab/extend)
While an update ring is paused, you can select **Extend** to reset the pause period for both feature and quality updates for that update ring to 35 days.
To Extend the pause period for a ring:
@@ -161,7 +161,7 @@ To Extend the pause period for a ring:
1. Select from the available options to resume either **Feature** or **Quality** updates, and then select **OK**.
1. After extending the pause for one update type, you can select Extend again to extend the other update type.
-# [**Uninstall**](#tab/uninstall)
+# :::image type="icon" source="icons/uninstall.svg" border="false"::: [**Uninstall**](#tab/uninstall)
An Intune administrator can use **Uninstall** to uninstall (roll back) the latest *feature* update or the latest *quality* update for an active or paused update ring. After uninstalling one type, you can then uninstall the other type. Intune doesn't support or manage the ability of users to uninstall updates.
From 2941796d90732b27243547dbab25bc717254bb9c Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 17 Dec 2025 16:59:56 -0500
Subject: [PATCH 011/139] updates
---
intune/device-updates/windows/update-rings.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/intune/device-updates/windows/update-rings.md b/intune/device-updates/windows/update-rings.md
index 2baed714aa..bfdb7a32f4 100644
--- a/intune/device-updates/windows/update-rings.md
+++ b/intune/device-updates/windows/update-rings.md
@@ -117,7 +117,7 @@ This view also includes:
Select a tab to learn more about its purpose and available options.
-# :::image type="icon" source="icons/delete.svg" border="false"::: [**Delete**](#tab/delete)
+# [:::image type="icon" source="icons/delete.svg" border="false"::: **Delete**](#tab/delete)
Select **Delete** to stop enforcing the settings of the selected Windows update ring. Deleting a ring removes its configuration from Intune so that Intune no longer applies and enforces those settings.
@@ -128,7 +128,7 @@ To delete a ring:
1. While viewing the overview page for an Update Ring, select **Delete**.
1. Select **OK**.
-# :::image type="icon" source="icons/pause.svg" border="false"::: [**Pause**](#tab/pause)
+# [:::image type="icon" source="icons/pause.svg" border="false"::: **Pause**](#tab/pause)
Select **Pause** to prevent assigned devices from receiving feature or quality updates for up to 35 days from the time you pause the ring. After the maximum days have passed, pause functionality automatically expires and the device scans Windows Updates for applicable updates. Following this scan, you can pause the updates again.
If you resume a paused update ring, and then pause that ring again, the pause period resets to 35 days.
@@ -143,7 +143,7 @@ When an update type is paused, the Overview pane for that ring displays how many
> [!IMPORTANT]
> After you issue a pause command, devices receive this command the next time they check into the service. It's possible that before they check in, they might install a scheduled update. Additionally, if a targeted device is turned off when you issue the pause command, when you turn it on, it might download and install scheduled updates before it checks in with Intune.
-# :::image type="icon" source="icons/resume.svg" border="false"::: [**Resume**](#tab/resume)
+# [:::image type="icon" source="icons/resume.svg" border="false"::: **Resume**](#tab/resume)
While an update ring is paused, you can select **Resume** to restore feature and quality updates for that ring to active operation. After you resume an update ring, you can pause that ring again.
To resume a ring:
@@ -152,7 +152,7 @@ To resume a ring:
1. Select from the available options to resume either **Feature** or **Quality** updates, and then select **OK**.
1. After resuming one update type, you can select Resume again to resume the other update type.
-# :::image type="icon" source="icons/extend.svg" border="false"::: [**Extend**](#tab/extend)
+# [:::image type="icon" source="icons/extend.svg" border="false"::: **Extend**](#tab/extend)
While an update ring is paused, you can select **Extend** to reset the pause period for both feature and quality updates for that update ring to 35 days.
To Extend the pause period for a ring:
@@ -161,7 +161,7 @@ To Extend the pause period for a ring:
1. Select from the available options to resume either **Feature** or **Quality** updates, and then select **OK**.
1. After extending the pause for one update type, you can select Extend again to extend the other update type.
-# :::image type="icon" source="icons/uninstall.svg" border="false"::: [**Uninstall**](#tab/uninstall)
+# [:::image type="icon" source="icons/uninstall.svg" border="false"::: **Uninstall**](#tab/uninstall)
An Intune administrator can use **Uninstall** to uninstall (roll back) the latest *feature* update or the latest *quality* update for an active or paused update ring. After uninstalling one type, you can then uninstall the other type. Intune doesn't support or manage the ability of users to uninstall updates.
From 64636812aa1ec097a5cb88ede9eb506c6b6c7339 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 17 Dec 2025 20:44:01 -0500
Subject: [PATCH 012/139] updates
---
intune/device-updates/windows/configure.md | 28 -----------------
...ing-deferrals-to-feature-updates-policy.md | 30 +++++++++++++++++++
intune/device-updates/windows/toc.yml | 2 ++
3 files changed, 32 insertions(+), 28 deletions(-)
create mode 100644 intune/device-updates/windows/ring-deferrals-to-feature-updates-policy.md
diff --git a/intune/device-updates/windows/configure.md b/intune/device-updates/windows/configure.md
index 74c0af1da1..cc3a8d59e0 100644
--- a/intune/device-updates/windows/configure.md
+++ b/intune/device-updates/windows/configure.md
@@ -57,34 +57,6 @@ If you support WPJ devices with Intune, the following information can help you u
| **Reports - Summary count of devices**: - Feature updates - Quality updates | Windows Update for Business reports | Windows Update for Business reports |
| **Reports – Detailed status**: - Per Update | Windows Update for Business reports | Yes, in Intune |
-## Move from update ring deferrals to feature updates policy
-
-When using Intune to manage Windows updates, it's possible to use both *update rings* policy with update deferrals, and *feature updates* policy to manage the updates you want to install on devices. If you're using feature updates, we recommend you end use of deferrals as configured in your update rings policy. Combining update ring deferrals with feature updates policy can create complexity that might delay update installations. You can continue to use the user experience settings from update rings, as they don't create issues when combined with feature updates policy.
-
-While nothing prohibits use of both policy types to control which updates can install on a device, there's typically no advantage to doing so. When both policy types apply to a device, the conditions of both policy types must be met (be true) on the device before it's offered an applicable update. This scenario can lead to updates not installing as expected due to a block by one of the policy types.
-
-### Plan to transition
-
-Plan to manage the change from using update ring deferrals to feature updates so that the Windows Update service can be ready to deploy the updates you expect.
-
-- When Intune policies for Windows updates are created or modified, Intune passes the policy details to Windows Update, which then determines the updates that are applicable for each device that's assigned one or more update policies.
-
-- The process to evaluate updates for devices can take up to 10 minutes to complete, and in some cases might take a bit longer.
-
-- If a device starts a scan for updates *after* a deferral has been set to zero or removed for the device, but *before* Windows Update completes the processing of the feature updates policy, that device can be offered an update you didn't plan for it to install.
-
-Use the following process to ensure Windows Update has processed your feature updates policy before deferrals are removed.
-
-#### Switch to feature updates policy
-
-1. In the Microsoft Intune admin center, create a [feature updates policy](feature-updates.md) that configures your desired Windows version, and assign it to applicable devices.
-
- After the saved policy is assigned to devices, it will take a few minutes for Windows Update to process the policy.
-
-2. View the [Windows feature updates (Organizational)](reports.md#use-the-windows-10-feature-updates-organizational-report) report for the feature update policy, and verify devices have a state of **OfferReady** before you proceed. Once all devices show **OfferReady**, Windows Update has completed processing the policy.
-
-3. After devices are verified to be in the **OfferReady** state you can safely reconfigure the [Update ring policy](update-rings.md), for that same set of devices to change the setting **Feature update deferral period (days)** to a value of **0**.
-
## Reporting on updates
To learn about report options for Update rings policy and Windows feature updates policy, see [Windows update reports](reports.md).
diff --git a/intune/device-updates/windows/ring-deferrals-to-feature-updates-policy.md b/intune/device-updates/windows/ring-deferrals-to-feature-updates-policy.md
new file mode 100644
index 0000000000..866c9cecbd
--- /dev/null
+++ b/intune/device-updates/windows/ring-deferrals-to-feature-updates-policy.md
@@ -0,0 +1,30 @@
+---
+title: Move from update ring deferrals to feature updates policy
+description: TBD
+ms.date: 09/10/2024
+ms.topic: how-to
+ms.reviewer:
+---
+
+# Move from update ring deferrals to feature updates policy
+
+When using Intune to manage Windows updates, it's possible to use both *update rings* policy with update deferrals, and *feature updates* policy to manage the updates you want to install on devices. If you're using feature updates, we recommend you end use of deferrals as configured in your update rings policy. Combining update ring deferrals with feature updates policy can create complexity that might delay update installations. You can continue to use the user experience settings from update rings, as they don't create issues when combined with feature updates policy.
+
+While nothing prohibits use of both policy types to control which updates can install on a device, there's typically no advantage to doing so. When both policy types apply to a device, the conditions of both policy types must be met (be true) on the device before it's offered an applicable update. This scenario can lead to updates not installing as expected due to a block by one of the policy types.
+
+## Plan to transition
+
+Plan to manage the change from using update ring deferrals to feature updates so that the Windows Update service can be ready to deploy the updates you expect.
+
+- When Intune policies for Windows updates are created or modified, Intune passes the policy details to Windows Update, which then determines the updates that are applicable for each device that's assigned one or more update policies.
+- The process to evaluate updates for devices can take up to 10 minutes to complete, and in some cases might take a bit longer.
+- If a device starts a scan for updates *after* a deferral has been set to zero or removed for the device, but *before* Windows Update completes the processing of the feature updates policy, that device can be offered an update you didn't plan for it to install.
+
+Use the following process to ensure Windows Update has processed your feature updates policy before deferrals are removed.
+
+### Switch to feature updates policy
+
+1. In the Microsoft Intune admin center, create a [feature updates policy](feature-updates.md) that configures your desired Windows version, and assign it to applicable devices.
+ After the saved policy is assigned to devices, it will take a few minutes for Windows Update to process the policy.
+1. View the [Windows feature updates (Organizational)](reports.md#use-the-windows-10-feature-updates-organizational-report) report for the feature update policy, and verify devices have a state of **OfferReady** before you proceed. Once all devices show **OfferReady**, Windows Update has completed processing the policy.
+1. After devices are verified to be in the **OfferReady** state you can safely reconfigure the [Update ring policy](update-rings.md), for that same set of devices to change the setting **Feature update deferral period (days)** to a value of **0**.
diff --git a/intune/device-updates/windows/toc.yml b/intune/device-updates/windows/toc.yml
index 49abce0a17..50f2f36d3b 100644
--- a/intune/device-updates/windows/toc.yml
+++ b/intune/device-updates/windows/toc.yml
@@ -15,6 +15,8 @@ items:
- name: Feature updates policy
href: feature-updates.md
displayName: windows feature updates
+ - name: Move from deferrals to feature updates policy
+ href: ring-deferrals-to-feature-updates-policy.md
- name: Windows rollout options
href: rollout-options.md
displayName: windows updates
From bc1f78f4dd6bf06e40ea544f267823f7e5c6c291 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 18 Dec 2025 11:20:07 -0500
Subject: [PATCH 013/139] updates
---
.../device-updates/windows/feature-updates.md | 158 +++++++++---------
intune/device-updates/windows/toc.yml | 3 +
2 files changed, 82 insertions(+), 79 deletions(-)
diff --git a/intune/device-updates/windows/feature-updates.md b/intune/device-updates/windows/feature-updates.md
index aa73fc9c59..b7d15b4341 100644
--- a/intune/device-updates/windows/feature-updates.md
+++ b/intune/device-updates/windows/feature-updates.md
@@ -10,28 +10,27 @@ ms.reviewer: davidmeb; bryanke; davguy
With Microsoft Intune, you can create and deploy policy settings that ensure your Windows devices remain on a specific Windows feature update version. These settings help you manage and control the feature set of Windows on your devices, providing stability and predictability for your organization's IT environment.
-With these policies, you can:
+With Windows feature updates policies, you can:
- Select the Windows [feature update](/windows/deployment/update/get-started-updates-channels-tools#types-of-updates) version that you want devices to remain at. This option supports setting a feature level to any version that remains in support at the time you create the policy.
- [Upgrade devices that run Windows 10 to Windows 11](#upgrade-devices-to-windows-11).
Windows feature updates policies work with update rings policies to prevent a device from receiving a Windows feature version that's later than the value specified in the feature updates policy.
-## How feature updates work
+## How feature updates policies work
-When a device receives a policy for Feature updates:
+When a device receives a feature update policy:
-- The device updates to the version of Windows specified in the policy. A device that already runs a later version of Windows remains at its current version. By freezing the version, the devices feature set remains stable during the duration of the policy.
+- The device updates to the version of Windows specified in the policy.
+ - A device that already runs a later version of Windows remains at its current version. By freezing the version, the devices feature set remains stable during the duration of the policy.
> [!NOTE]
- > A device won't install an update when it has a *safeguard hold* for that Windows version. When a device evaluates applicability of an update version, Windows creates the temporary safeguard hold if an unresolved known issue exists. Once the issue is resolved, the hold is removed and the device can then update.
+ > A device won't install an update when it has a [*safeguard hold*](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) for that Windows version. When a device evaluates applicability of an update version, Windows creates the temporary safeguard hold if an unresolved known issue exists. Once the issue is resolved, the hold is removed and the device can then update.
>
- > - Learn more about [safeguard holds](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) in the Windows documentation for *Feature Update Status*.
- > - To learn about known issues that can result in a safeguard hold, see the applicable Windows release information and then reference the relevant Windows version from the table of contents for that page:
- > - [Windows 11 release information](/windows/release-health/windows11-release-information)
+ > - To learn about known issues that can result in a safeguard hold, see the applicable Windows release information and then reference the relevant Windows version from the table of contents for that page: [Windows 11 release information](/windows/release-health/windows11-release-information).
-- Unlike using the *Pause* option of an update ring, which expires after 35 days, the feature updates policy remains in effect. Devices won't install a new Windows version until you modify or remove the Feature updates policy. If you edit the policy to specify a newer version, devices can then install the features from that Windows version.
+- Unlike using the *Pause* option of an update ring, which expires after 35 days, the feature updates policy remains in effect. Devices won't install a new Windows version until you modify or remove the feature updates policy. If you edit the policy to specify a newer version, devices can install that newer version.
- The ability to *Uninstall* the Feature update is still honored by the update rings.
- You can configure policy to manage the schedule by which Windows Update makes the offer available to devices. For more information, see [Rollout options for Windows Updates](rollout-options.md).
- When a Windows feature update is deployed to a device from the cloud service, the latest monthly quality update is automatically included.
@@ -125,88 +124,45 @@ When a device receives a policy for Feature updates:
### Limitations for Microsoft Entra registered devices
-Feature updates policies require the use of Windows Update client policies and [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview). Where Windows Update client policies supports Microsoft Entra registered devices, Windows Autopatch provides more capabilities that aren't supported by those devices.
+Feature updates policies require the use of Windows Update client policies and [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview). While Windows Update client policies supports Microsoft Entra registered devices, Windows Autopatch provides more capabilities that aren't supported by those devices.
-For more information about Microsoft Entra registered devices limitations for Windows Update policies, see [Policy limitations for Workplace Joined devices](configure.md).
-
-## Limitations for Feature updates for Windows 10 and later policy
-
-- When you deploy a *Feature updates for Windows 10 and later* policy to a device that also receives an *Update rings for Windows 10 and later* policy, review the update ring for the following configurations:
- - We recommend setting the **Feature update deferral period (days)** to **0**. This configuration ensures your feature updates aren't delayed by update deferrals that might be configured in an update ring policy.
- - Feature updates for the update ring must be *running*. They must not be paused.
-
- > [!TIP]
- > If you're using feature updates, we recommend you set the Feature update deferral period to *0* in the associated Update Rings policy. Combining update ring deferrals with feature updates policy can create complexity that might delay update installations.
- >
- > For more information, see [Move from update ring deferrals to feature updates policy](configure.md#move-from-update-ring-deferrals-to-feature-updates-policy)
-
-- Feature updates for Windows 10 and later policies can't be applied during the Windows Autopilot out of box experience (OOBE). Instead, the policies apply at the first Windows Update scan after a device has finished provisioning, which is typically a day.
-
-- If you co-manage devices with Configuration Manager, feature updates policies might not immediately take effect on devices when you newly configure the [Windows Update policies workload](../../configmgr/comanage/workloads.md#windows-update-policies) to Intune. This delay is temporary but can initially result in devices updating to a later feature update version than is configured in the policy.
-
- To prevent this initial delay from impacting your co-managed devices:
-
- 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
- 2. Go to **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows 10 and later updates** > **Feature updates** tab > **Create profile**.
- 3. For **Deployment settings**, enter a meaningful name and a description for the policy. Then, specify the feature update you want devices to be running.
- 4. Complete the policy configuration, including assigning the policy to devices. The policy deploys to devices, though any device that already has the version you've selected, or a newer version, won't be offered the update.
-
- Monitor the report for the policy. To do so, go to **Reports** > **Windows Updates** > **Reports** tab > **Feature Updates report**. Select the policy you created and then generate the report.
-
- 5. Devices that have a state of *OfferReady* or later, are enrolled for feature updates and protected from updating to anything newer than the update you specified in step 3. See [Use the Windows 10 feature updates (Organizational) report](reports.md#use-the-windows-10-feature-updates-organizational-report).
- 6. With devices enrolled for updates and protected, you can safely change the *Windows Update policies* workload from Configuration Manager to Intune. See, [Switch workloads to Intune](/configmgr/comanage/how-to-switch-workloads) in the co-management documentation.
-
-- When the device checks in to the Windows Update service, the device's group membership is validated against the security groups assigned to the feature updates policy settings for any feature update holds.
-
-- Managed devices that receive feature update policy are automatically enrolled with the [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview). The service manages the updates a device receives. Microsoft Intune uses this service and works with your Intune policies for Windows updates to deploy feature updates to devices.
-
- When a device is no longer assigned to any feature update policies, the device remains enrolled in Autopatch. This change allows time to assign the device to a different policy and ensure that in the meantime the device doesn't receive a feature update that wasn't intended.
-
- As a result, when a feature updates policy no longer applies to a device, that device isn't offered any feature update until one of the following happens:
-
- - The device is assigned to a new feature update profile.
- - The device is unenrolled from Intune, which unenrolls the device from feature update management by Autopatch.
- - You use the [Windows Autopatch graph API](/graph/windowsupdates-enroll) to [remove the device](/graph/api/windowsupdates-updatableasset-unenrollassets) from feature update management.
+For more information, see [Microsoft Entra registered devices limitations for Windows Update policies](configure.md).
## Create and assign Feature updates for Windows 10 and later policy
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Select **Devices** > **By platform** > **Windows** > **Windows 10 and later updates** > **Feature updates** tab > **Create profile**.
-
-3. Under **Deployment settings**:
-
- a. **Name**, **Description**: Specify a name, and a description (optional).
-
- b. **Required/Optional updates**: These options are only available when the target version is Windows 11.
-
- - When the default option **Make available to users as a required update** is selected, the device will automatically install the update based on device settings.
- - When the admin selects the option **Make available to users as an optional update**, then the selected updates are made available to users as an optional update. The rollout settings still control when the update is available to the device but then the user must choose to install the update before it is installed on the device.
+1. In the [Microsoft Intune admin center][INT-AC], select **Devices** > **Windows**
+1. Select **Windows updates** > **Feature updates**
+1. Select **Create profile**
+1. Under **Deployment settings**:
+ - Specify a **Name** and an optional **Description** for the feature updates deployment.
+ - From the **Feature update to deploy** dropdown, select the Windows version you want to deploy. Only versions of Windows that remain in support are available to select.
+ - Select either:
+ - **Make available to users as a required update**: the device will automatically install the update based on device settings.
+ - **Make available to users as an optional update**: selected updates are made available to users as an optional update. The rollout settings still control when the update is available to the device but then the user must choose to install the update before it is installed on the device. This option requires a license for Windows Autopatch.
+1. Under **Rollout options**, configure how and when the update is made available to devices that receive this policy. For more information, see [Rollout options for Windows Updates](rollout-options.md).
+1. Select **Next**
+1. Under **Assignments**, assign the policy to one or more device groups. Select **Next** to continue.
+1. Under **Review + create**, review the settings. When ready to save the policy, select **Create**.
- **What the user sees on their device**
- When the admin makes the update available as an **Optional** update, the user must navigate to the **Windows update settings** page to see and choose to install the update. It is recommended to communicate to end users through your communication channels that an optional update is available to them.
- When the user navigates to the **Windows update settings** page, they can see and choose to install the update when they're willing to take the update.
- Users have to click **Download** to install the update. Otherwise it doesn't get installed until the admin makes it a **Required** update.
- It's the same optional update experience that users are familiar with in their personal PCs.
+## User experience
- When the admin switches from **Optional** to **Required**, the following behavior is observed:
+When the admin makes the update available as an **Optional** update, the user must navigate to the **Windows update settings** page to see and choose to install the update. It is recommended to communicate to end users through your communication channels that an optional update is available to them.
- - Updates aren't reinstalled for people who went ahead and opted to install the update back when it was an **Optional** update.
- - If a device has not started on an update, the next time the device checks for updates the update is treated and automatically installed as a **Required** update.
+When the user navigates to the **Windows update settings** page, they can see and choose to install the update when they're willing to take the update.
+Users have to click **Download** to install the update. Otherwise it doesn't get installed until the admin makes it a **Required** update.
+It's the same optional update experience that users are familiar with in their personal PCs.
- When the admin switches from **Required** to **Optional**, the following behavior is observed:
+When the admin switches from **Optional** to **Required**, the following behavior is observed:
- - Devices that have already installed the update are not impacted.
- - Devices that are pending restart are likely to continue to install the update as a **Required** update.
- - Switching only impacts devices that haven't started the update yet or were early enough in the update process so they could be changed to an **Optional** update.
+- Updates aren't reinstalled for people who went ahead and opted to install the update back when it was an **Optional** update.
+- If a device has not started on an update, the next time the device checks for updates the update is treated and automatically installed as a **Required** update.
- c. **Feature update to deploy**: select the specific version of Windows with the feature set you want deployed on your devices. Only versions of Windows that remain in support are available to select.
+When the admin switches from **Required** to **Optional**, the following behavior is observed:
- d. **Rollout options**: Configure **Rollout options** to manage when Windows Updates makes the update available to devices that receive this policy. For more information about using these options, see [Rollout options for Windows Updates](rollout-options.md), and then select **Next**.
+- Devices that have already installed the update are not impacted.
+- Devices that are pending restart are likely to continue to install the update as a **Required** update.
+- Switching only impacts devices that haven't started the update yet or were early enough in the update process so they could be changed to an **Optional** update.
-4. Under **Assignments**, choose **+ Select groups to include** and then assign the feature updates deployment to one or more device groups. Select **Next** to continue.
-
-5. Under **Review + create**, review the settings. When ready to save the Feature updates policy, select **Create**.
## Update behavior when multiple policies target a device
@@ -256,9 +212,53 @@ There are multiple options to get in-depth reporting for Windows 10/11 updates w
To learn more, see [Intune compliance reports](reports.md).
+## Limitations for Feature updates for Windows 10 and later policy
+
+- When you deploy a *Feature updates for Windows 10 and later* policy to a device that also receives an *Update rings for Windows 10 and later* policy, review the update ring for the following configurations:
+ - We recommend setting the **Feature update deferral period (days)** to **0**. This configuration ensures your feature updates aren't delayed by update deferrals that might be configured in an update ring policy.
+ - Feature updates for the update ring must be *running*. They must not be paused.
+
+ > [!TIP]
+ > If you're using feature updates, we recommend you set the Feature update deferral period to *0* in the associated Update Rings policy. Combining update ring deferrals with feature updates policy can create complexity that might delay update installations.
+ >
+ > For more information, see [Move from update ring deferrals to feature updates policy](configure.md#move-from-update-ring-deferrals-to-feature-updates-policy)
+
+- Feature updates for Windows 10 and later policies can't be applied during the Windows Autopilot out of box experience (OOBE). Instead, the policies apply at the first Windows Update scan after a device has finished provisioning, which is typically a day.
+
+- If you co-manage devices with Configuration Manager, feature updates policies might not immediately take effect on devices when you newly configure the [Windows Update policies workload](../../configmgr/comanage/workloads.md#windows-update-policies) to Intune. This delay is temporary but can initially result in devices updating to a later feature update version than is configured in the policy.
+
+ To prevent this initial delay from impacting your co-managed devices:
+
+ 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+ 2. Go to **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows 10 and later updates** > **Feature updates** tab > **Create profile**.
+ 3. For **Deployment settings**, enter a meaningful name and a description for the policy. Then, specify the feature update you want devices to be running.
+ 4. Complete the policy configuration, including assigning the policy to devices. The policy deploys to devices, though any device that already has the version you've selected, or a newer version, won't be offered the update.
+
+ Monitor the report for the policy. To do so, go to **Reports** > **Windows Updates** > **Reports** tab > **Feature Updates report**. Select the policy you created and then generate the report.
+
+ 5. Devices that have a state of *OfferReady* or later, are enrolled for feature updates and protected from updating to anything newer than the update you specified in step 3. See [Use the Windows 10 feature updates (Organizational) report](reports.md#use-the-windows-10-feature-updates-organizational-report).
+ 6. With devices enrolled for updates and protected, you can safely change the *Windows Update policies* workload from Configuration Manager to Intune. See, [Switch workloads to Intune](/configmgr/comanage/how-to-switch-workloads) in the co-management documentation.
+
+- When the device checks in to the Windows Update service, the device's group membership is validated against the security groups assigned to the feature updates policy settings for any feature update holds.
+
+- Managed devices that receive feature update policy are automatically enrolled with the [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview). The service manages the updates a device receives. Microsoft Intune uses this service and works with your Intune policies for Windows updates to deploy feature updates to devices.
+
+ When a device is no longer assigned to any feature update policies, the device remains enrolled in Autopatch. This change allows time to assign the device to a different policy and ensure that in the meantime the device doesn't receive a feature update that wasn't intended.
+
+ As a result, when a feature updates policy no longer applies to a device, that device isn't offered any feature update until one of the following happens:
+
+ - The device is assigned to a new feature update profile.
+ - The device is unenrolled from Intune, which unenrolls the device from feature update management by Autopatch.
+ - You use the [Windows Autopatch graph API](/graph/windowsupdates-enroll) to [remove the device](/graph/api/windowsupdates-updatableasset-unenrollassets) from feature update management.
+
## Next steps
- Use [Windows update rings in Intune](update-rings.md)
- Use [Windows update compatibility reports](compatibility-reports.md)
- Use [Windows update reports](reports.md) for Windows 10/11 updates
- Also see [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) in the Windows deployment content for an alternative solution
+
+
+
+
+[INT-AC]: https://go.microsoft.com/fwlink/?linkid=2109431
\ No newline at end of file
diff --git a/intune/device-updates/windows/toc.yml b/intune/device-updates/windows/toc.yml
index 50f2f36d3b..9078726e67 100644
--- a/intune/device-updates/windows/toc.yml
+++ b/intune/device-updates/windows/toc.yml
@@ -10,6 +10,9 @@ items:
- name: Update rings policy
href: update-rings.md
displayName: windows updates, rings
+ - name: Policy settings reference
+ href: settings.md
+ displayName: windows updates, rings
- name: Feature updates
items:
- name: Feature updates policy
From efd95a3496bec6eff6b81f9fc93fcc62b8df6e8e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 18 Dec 2025 12:24:03 -0500
Subject: [PATCH 014/139] updates
---
.../windows/icons/client-policies.svg | 10 ++++++++++
.../windows/icons/driver-updates.svg | 10 ++++++++++
.../device-updates/windows/icons/expedite.svg | 15 +++++++++++++++
.../windows/icons/feature-updates.svg | 10 ++++++++++
.../windows/icons/hotpatch-updates.svg | 10 ++++++++++
.../windows/icons/quality-updates.svg | 10 ++++++++++
.../windows/icons/update-ring.svg | 10 ++++++++++
intune/device-updates/windows/index.md | 17 ++++++++++-------
8 files changed, 85 insertions(+), 7 deletions(-)
create mode 100644 intune/device-updates/windows/icons/client-policies.svg
create mode 100644 intune/device-updates/windows/icons/driver-updates.svg
create mode 100644 intune/device-updates/windows/icons/expedite.svg
create mode 100644 intune/device-updates/windows/icons/feature-updates.svg
create mode 100644 intune/device-updates/windows/icons/hotpatch-updates.svg
create mode 100644 intune/device-updates/windows/icons/quality-updates.svg
create mode 100644 intune/device-updates/windows/icons/update-ring.svg
diff --git a/intune/device-updates/windows/icons/client-policies.svg b/intune/device-updates/windows/icons/client-policies.svg
new file mode 100644
index 0000000000..eed45b964f
--- /dev/null
+++ b/intune/device-updates/windows/icons/client-policies.svg
@@ -0,0 +1,10 @@
+
diff --git a/intune/device-updates/windows/icons/driver-updates.svg b/intune/device-updates/windows/icons/driver-updates.svg
new file mode 100644
index 0000000000..2e7c483beb
--- /dev/null
+++ b/intune/device-updates/windows/icons/driver-updates.svg
@@ -0,0 +1,10 @@
+
diff --git a/intune/device-updates/windows/icons/expedite.svg b/intune/device-updates/windows/icons/expedite.svg
new file mode 100644
index 0000000000..8fbcadbc47
--- /dev/null
+++ b/intune/device-updates/windows/icons/expedite.svg
@@ -0,0 +1,15 @@
+
diff --git a/intune/device-updates/windows/icons/feature-updates.svg b/intune/device-updates/windows/icons/feature-updates.svg
new file mode 100644
index 0000000000..ab711b333a
--- /dev/null
+++ b/intune/device-updates/windows/icons/feature-updates.svg
@@ -0,0 +1,10 @@
+
diff --git a/intune/device-updates/windows/icons/hotpatch-updates.svg b/intune/device-updates/windows/icons/hotpatch-updates.svg
new file mode 100644
index 0000000000..a81820f4eb
--- /dev/null
+++ b/intune/device-updates/windows/icons/hotpatch-updates.svg
@@ -0,0 +1,10 @@
+
diff --git a/intune/device-updates/windows/icons/quality-updates.svg b/intune/device-updates/windows/icons/quality-updates.svg
new file mode 100644
index 0000000000..f9142f1a11
--- /dev/null
+++ b/intune/device-updates/windows/icons/quality-updates.svg
@@ -0,0 +1,10 @@
+
diff --git a/intune/device-updates/windows/icons/update-ring.svg b/intune/device-updates/windows/icons/update-ring.svg
new file mode 100644
index 0000000000..980905a266
--- /dev/null
+++ b/intune/device-updates/windows/icons/update-ring.svg
@@ -0,0 +1,10 @@
+
diff --git a/intune/device-updates/windows/index.md b/intune/device-updates/windows/index.md
index 9f3c496058..f2f7395b33 100644
--- a/intune/device-updates/windows/index.md
+++ b/intune/device-updates/windows/index.md
@@ -83,10 +83,13 @@ Understand hotpatching scenarios
Monitor and troubleshoot update compliance
-| Feature | When using Autopatch | When NOT using Autopatch |
-|--------------------------|-------------------------------------------------------------------------------------------|-----------------------------------------------|
-| Update rings | Autopatch creates & manages its own rings; you shouldn't assign your own to these devices | You configure your own update rings in Intune |
-| Feature update policies | Autopatch manages version targeting | You use Intune's Feature updates policy |
-| Quality expedite updates | Autopatch handles emergency patching | You use "Expedite" policy |
-| Driver updates | Autopatch manages this | You can allow/deny via settings |
-| Update coordination | Autopatch orchestrates everything | You control scheduling & behavior |
\ No newline at end of file
+| | Feature | When using Autopatch | When NOT using Autopatch |
+|--------------------------------------------------------------------------------|--------------------------------|--------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------|
+| **:::image type="icon" source="icons/update-ring.svg" border="false":::** | Update rings | Autopatch creates & manages its own rings; you shouldn't assign your own to these devices | You configure your own update rings in Intune |
+| **:::image type="icon" source="icons/feature-updates.svg" border="false":::** | Feature update policies | Autopatch manages version targeting | You use Intune's Feature updates policy |
+| **:::image type="icon" source="icons/expedite-updates.svg" border="false":::** | Quality expedite updates | Autopatch handles emergency patching | You use "Expedite" policy |
+| **:::image type="icon" source="icons/driver-updates.svg" border="false":::** | Driver updates | Autopatch manages this | You can allow/deny via settings |
+| **** | Update coordination | Autopatch orchestrates everything | You control scheduling & behavior |
+| **:::image type="icon" source="icons/hotpatch-updates.svg" border="false":::** | Hotpatch | Devices that support hotpatch continue to use Intune's update policies for timing & coordination | Devices that support hotpatch continue to use Intune's update policies for timing & coordination |
+| **:::image type="icon" source="icons/client-policies.svg" border="false":::** | Windows Update client policies | Intune configures these behind the scenes; you don't assign your own to Autopatch devices | You configure these directly in Intune |
+| **:::image type="icon" source="icons/quality-updates.svg" border="false":::** | Quality updates | Autopatch manages quality updates | You configure quality updates via update rings and expedite policies |
\ No newline at end of file
From 15825dc7cd195a53fbb6d6d06262b4cda6a76015 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 18 Dec 2025 12:57:35 -0500
Subject: [PATCH 015/139] updates
---
.../{expedite.svg => expedite-updates.svg} | 0
intune/device-updates/windows/index.md | 90 +++++++++++++++++++
2 files changed, 90 insertions(+)
rename intune/device-updates/windows/icons/{expedite.svg => expedite-updates.svg} (100%)
diff --git a/intune/device-updates/windows/icons/expedite.svg b/intune/device-updates/windows/icons/expedite-updates.svg
similarity index 100%
rename from intune/device-updates/windows/icons/expedite.svg
rename to intune/device-updates/windows/icons/expedite-updates.svg
diff --git a/intune/device-updates/windows/index.md b/intune/device-updates/windows/index.md
index f2f7395b33..951411c236 100644
--- a/intune/device-updates/windows/index.md
+++ b/intune/device-updates/windows/index.md
@@ -23,6 +23,96 @@ Exceptional scenarios, such as urgent security patches
All Windows updates flow from Microsoft's global update service; Intune provides the policy layer that governs timing, user experience, and safeguards.
Core policy types
+
+:::row:::
+:::column:::
+#### Update rings
+
+**:::image type="icon" source="icons/update-ring.svg" border="false":::**
+
+> Description
+>
+>> [!div class="nextstepaction"]
+>> [Learn more](update-rings.md)
+:::column-end:::
+:::column:::
+#### Feature update policies
+
+**:::image type="icon" source="icons/feature-updates.svg" border="false":::**
+
+> Description
+>
+>> [!div class="nextstepaction"]
+>> [Learn more](feature-updates.md)
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column:::
+#### Quality updates
+
+**:::image type="icon" source="icons/quality-updates.svg" border="false":::**
+
+> Description
+>
+>> [!div class="nextstepaction"]
+>> [Learn more](quality-updates-policy.md)
+:::column-end:::
+:::column:::
+
+#### Windows Update client policies
+
+**:::image type="icon" source="icons/client-policies.svg" border="false":::**
+
+> Description
+>
+>> [!div class="nextstepaction"]
+>> [Learn more](feature-updates.md)
+:::column-end:::
+:::row-end:::
+
+
+:::row:::
+:::column:::
+#### Quality expedite updates
+
+**:::image type="icon" source="icons/expedite-updates.svg" border="false":::**
+
+> Description
+>
+>> [!div class="nextstepaction"]
+>> [Learn more](update-rings.md)
+:::column-end:::
+:::column:::
+#### Driver updates
+
+**:::image type="icon" source="icons/driver-updates.svg" border="false":::**
+
+> Description
+>
+>> [!div class="nextstepaction"]
+>> [Learn more](feature-updates.md)
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column:::
+
+#### Hotpatch
+
+**:::image type="icon" source="icons/hotpatch-updates.svg" border="false":::**
+
+> Description
+>
+>> [!div class="nextstepaction"]
+>> [Learn more](update-rings.md)
+:::column-end:::
+:::column:::
+
+:::column-end:::
+:::row-end:::
+
+
Intune provides several policy types, each designed for a specific purpose. Understanding these helps you choose the right tool for each scenario.
Update rings
Update rings control the cadence and experience of updates, including:
From 320bd6b8c90280b2e53e14abd7ca03b213d8006e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 18 Dec 2025 13:35:50 -0500
Subject: [PATCH 016/139] updates
---
intune/device-updates/windows/index.md | 43 ++++++++++++++------------
1 file changed, 23 insertions(+), 20 deletions(-)
diff --git a/intune/device-updates/windows/index.md b/intune/device-updates/windows/index.md
index 951411c236..e09c0adf43 100644
--- a/intune/device-updates/windows/index.md
+++ b/intune/device-updates/windows/index.md
@@ -24,71 +24,74 @@ All Windows updates flow from Microsoft's global update service; Intune provides
Core policy types
+
:::row:::
:::column:::
+
+#### Windows Update client policies
+
+>**:::image type="icon" source="icons/client-policies.svg" border="false":::**
+>
+> Windows Update client policies configure the underlying Windows Update for Business CSPs. These settings are available in Intune both through update rings and directly in the Settings Catalog, giving administrators flexibility to apply granular update behaviors at the device level.
+>
+>> [!div class="nextstepaction"]
+>> [Learn more](feature-updates.md)
+
+:::column-end:::
+:::column:::
#### Update rings
**:::image type="icon" source="icons/update-ring.svg" border="false":::**
-> Description
+> Intune's management object that applies Windows Update client policies to groups of devices. Update rings control deferral periods, deadlines, restart behavior, and user experience settings, enabling phased rollout across your environment.
>
>> [!div class="nextstepaction"]
>> [Learn more](update-rings.md)
:::column-end:::
+:::row-end:::
+
+:::row:::
:::column:::
#### Feature update policies
**:::image type="icon" source="icons/feature-updates.svg" border="false":::**
-> Description
+> Lock devices to a specific Windows version (e.g., Windows 11 23H2). These policies prevent devices from upgrading beyond the targeted release, ensuring consistency and control over major OS upgrades.
>
>> [!div class="nextstepaction"]
>> [Learn more](feature-updates.md)
:::column-end:::
-:::row-end:::
-:::row:::
:::column:::
#### Quality updates
**:::image type="icon" source="icons/quality-updates.svg" border="false":::**
-> Description
+> Deliver monthly cumulative updates that include security patches and reliability improvements. Quality updates keep devices secure and stable by addressing vulnerabilities and performance issues on a regular cadence.
>
>> [!div class="nextstepaction"]
>> [Learn more](quality-updates-policy.md)
:::column-end:::
-:::column:::
-
-#### Windows Update client policies
-
-**:::image type="icon" source="icons/client-policies.svg" border="false":::**
-
-> Description
->
->> [!div class="nextstepaction"]
->> [Learn more](feature-updates.md)
-:::column-end:::
:::row-end:::
-
:::row:::
:::column:::
#### Quality expedite updates
**:::image type="icon" source="icons/expedite-updates.svg" border="false":::**
-> Description
+> Push critical security updates faster than normal rings. Expedite policies override deferrals and deadlines to immediately deliver high-priority patches (such as zero-day fixes) to devices at risk.
>
>> [!div class="nextstepaction"]
>> [Learn more](update-rings.md)
:::column-end:::
+
:::column:::
#### Driver updates
**:::image type="icon" source="icons/driver-updates.svg" border="false":::**
-> Description
+> Manage the delivery of hardware driver updates from Windows Update. Driver update policies help ensure device compatibility and stability by controlling when and how drivers are installed.
>
>> [!div class="nextstepaction"]
>> [Learn more](feature-updates.md)
@@ -102,7 +105,7 @@ Core policy types
**:::image type="icon" source="icons/hotpatch-updates.svg" border="false":::**
-> Description
+> Apply security patches without requiring a reboot, reducing downtime and disruption. Hotpatch updates are available for eligible Windows editions through Windows Autopatch and provide seamless protection while keeping systems continuously available.
>
>> [!div class="nextstepaction"]
>> [Learn more](update-rings.md)
From e4c73e3cbb4a732aaf407a031dca0eb64046af0a Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 18 Dec 2025 14:48:26 -0500
Subject: [PATCH 017/139] updates
---
.../windows/icons/feature-updates.svg | 2 +-
.../windows/icons/update-ring.svg | 2 +-
intune/device-updates/windows/index.md | 20 +++++++++----------
3 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/intune/device-updates/windows/icons/feature-updates.svg b/intune/device-updates/windows/icons/feature-updates.svg
index ab711b333a..16b591fa51 100644
--- a/intune/device-updates/windows/icons/feature-updates.svg
+++ b/intune/device-updates/windows/icons/feature-updates.svg
@@ -1,6 +1,6 @@