How to Configure Windows Update Rings in Intune with Reboot Notifications
Published 17 March 2026·10 min read·Jack Davies
This guide covers setting up a Windows Update ring in Intune that automatically installs quality updates, warns the user to restart with up to 5 daily reminders, and then forces a restart if they keep ignoring it. No more unpatched machines sitting at 180-day-old builds because the user always clicked "Remind me later".
A Windows Update ring is an Intune policy that controls when and how Windows quality and feature updates are downloaded and installed on managed devices. It replaces the old Group Policy-based Windows Update for Business settings and is the recommended approach for any Intune-enrolled estate.
The ring model lets you stagger updates across your fleet. A typical setup has three rings:
Pilot ring - a small group (IT team, testers) who get updates first
Broad ring - most of the business, 7-14 days after pilot
Slow ring - critical systems, maximum deferral
This guide focuses on the Broad ring configuration, which covers the majority of devices. The same settings apply to all rings - you just adjust the deferral days.
💡
Cyber Essentials requirement
Cyber Essentials requires critical and high-severity patches to be applied within 14 days of release. The settings in this guide are configured to meet that requirement. Quality update deadline is set to 7 days, giving you a comfortable buffer.
Create the Update Ring in Intune
Intune Admin Centre → Devices → Windows updates → Update rings
Go to Devices → Windows updates → Update rings for Windows 10 and later
Click + Create profile
Give it a name - something like WIN-UPDATE-BROAD works well for a naming convention
Add a description so other admins know what it does
Click Next to get to the settings
Update deferral settings
These settings control how long after Microsoft releases an update before it gets pushed to your devices. The Broad ring has a short deferral so devices stay current, but with enough buffer to catch any bad patches on the Pilot ring first.
🔄
Microsoft product updates
Controls whether Office, Edge, and other Microsoft products update alongside Windows
Microsoft product updatesEnables updates for other Microsoft products via Windows Update
Allow
Windows driversKeeps device drivers up to date through Windows Update
Allow
📅
Update deferral periods
How many days after release before updates are offered to this ring
Quality update deferral periodSecurity patches, bug fixes. Keep short to stay within Cyber Essentials 14-day requirement.
0 days
Feature update deferral periodMajor Windows version upgrades (22H2, 23H2 etc). Defer longer to allow testing.
60 days
Upgrade Windows 10 devices to latest Windows 11Set to No if you are not ready to move to Windows 11 yet
Not configured
⚠️
Quality deferral vs deadline
Setting quality deferral to 0 days means devices start downloading the update as soon as it is released. The deadline (configured in the next section) is what determines when the restart is forced. This is the correct approach for Cyber Essentials - defer feature updates, not quality patches.
User experience and restart settings
This is the section that controls what the user sees. The goal is to give them fair warning - enough chances to restart at a convenient time - but make the restart unavoidable once the deadline passes.
🔔
Restart notifications
Controls the toast notifications shown before a forced restart
Auto restart before deadlineShows persistent notifications in the last 2 days before deadline
Enabled
Use deadline settingsMust be enabled for deadline-based restart enforcement to work
Enabled
Opt out of automatic updatesPrevents users from disabling Windows Update on their device
Block
🕐
Engaged restart settings
Controls how often users are reminded and how long they can keep snoozing
Engaged restart transition (days)How many days after an update installs before Engaged Restart begins prompting the user
2 days
Engaged restart snooze schedule (days)How long the user can snooze a restart reminder before being prompted again
1 day
Engaged restart deadline (days)After this many days the device restarts automatically at the next maintenance window. Set to 5 for 5 warnings.
5 days
💡
How the 5 warnings add up
With a snooze schedule of 1 day and an Engaged Restart deadline of 5 days, the user gets a reminder on days 2, 3, 4, 5, and 6 after the update installs - that is 5 separate prompts before the device restarts automatically. Adjust the snooze schedule to 2 days if you want fewer, less frequent warnings.
Deadline and auto-restart enforcement
The deadline is the hard cutoff. Once it passes, the device will restart automatically at the next scheduled maintenance window - even if the user is logged in. This is non-negotiable and is intentional.
⏰
Deadline settings
Hard cutoff for when the restart happens regardless of user input
Deadline for quality updatesDays after a quality update is released before the restart is forced. 7 days meets Cyber Essentials.
7 days
Deadline for feature updatesDays after a feature update is released before the upgrade is forced
14 days
Grace periodExtra time given after the deadline before restart is enforced. Useful for users who were on leave during the deadline window.
2 days
Auto restart before deadline (hours)How many hours before the deadline the device shows a countdown notification
2 hours
⚠️
Warn users before enabling this on production
The first time this policy hits a device that has been ignoring updates for a while, it may restart sooner than the user expects. Send a communication to staff before deploying - something like "Windows will now automatically restart after 7 days if you haven't done so yourself" - to avoid support calls.
What the user actually sees
Here is the sequence of events from the user's perspective after a quality update installs:
0
Update installs in background
Windows downloads and installs the update silently. The user sees nothing yet. A restart is required but not prompted.
2
Day 2 - First restart reminder
Engaged Restart kicks in. The user sees a toast notification asking them to restart. They can click "Restart now" or dismiss it - it will come back tomorrow.
3
Days 3, 4, 5, 6 - Repeated daily reminders
Each day the user dismisses the notification, it returns the next day. The notification becomes more persistent and harder to dismiss as the deadline approaches.
5
Day 5 - Final warning (2 hours before)
A persistent countdown notification appears showing the exact time the device will restart. The user can choose to restart now or schedule it within the next 2 hours.
7
Day 7 - Auto-restart
If the user has not restarted, the device restarts automatically at the next maintenance window (by default 3am-5am local time). The update is now applied.
Here is what the toast notification looks like to the user:
// Windows notification (day 3 example)
🪟Windows Update
Your device needs to restart
A security update has been installed and needs a restart to complete. Your device will restart automatically in 4 days if you don't restart first.
Assign and deploy
Once your settings are configured, go to the Assignments tab.
Under Included groups, add your target device or user group - for example INTUNE-DEVICES-BROAD
If you have any devices that should be excluded (kiosks, shared devices, conference room machines), add them under Excluded groups
Click Review + create then Create
💡
Always pilot first
Assign to a group of 3-5 test devices or IT team members first. Run for one full patch cycle (one Patch Tuesday) before rolling out to all devices. This catches any compatibility issues before they hit the whole business.
Monitor compliance
After deploying, check that devices are picking up and applying updates correctly.
Intune Admin Centre → Devices → Windows updates → Update rings
Click on your Update Ring policy and select Device status. You will see a breakdown of devices by status:
Succeeded - update applied, no restart needed or already restarted
In progress - update downloading or installing
Pending restart - update installed, waiting for the user to restart
Error - something went wrong on this device
Not applicable - device does not match the policy scope
You can also check individual device update status under Devices → Windows devices → [Device name] → Windows update. This shows the currently installed version and any pending updates.
✅
Check the compliance report too
If you have an Intune compliance policy with a minimum OS version requirement, devices that fall behind on updates will also show as non-compliant in the Compliance Report. This gives you a second view into update gaps and ties patching to Conditional Access if you have a compliant device CA policy.
Troubleshooting
Device not picking up the Update Ring policy
Force an Intune sync on the device. Go to Settings → Accounts → Access work or school → [Account] → Info → Sync. Alternatively, run the following in PowerShell as administrator:
User says they keep getting restarted at inconvenient times
Check whether Active Hours are configured. Active Hours tell Windows not to restart during working hours. You can set these in the Update Ring under Active hours start and Active hours end. Set to your business hours - for example 8am to 6pm. The device will then only auto-restart outside those hours.
🕗
Active hours (optional but recommended)
Prevents automatic restarts during working hours
Active hours start
8 AM
Active hours end
6 PM
Update Ring not showing in device policy list
Check that the device is in the assigned group. Go to Intune → Devices → [Device] → Group membership and confirm the target group is listed. If the device is Entra-joined but not Intune-enrolled, the policy will not apply.
Device showing old OS version despite policy being assigned
Check the device's Windows Update for Business status in the Admin Centre. If the update is deferred, it may not have been offered yet. Also confirm that the device has internet access and can reach Windows Update endpoints. Devices behind a strict proxy may need *.windowsupdate.com and *.delivery.mp.microsoft.com whitelisted.
// need this done for your business?
Fixed-price Intune setup for UK businesses
I set up Intune for UK small businesses at a fixed price - update rings, compliance policies, Conditional Access, BitLocker, and full documentation handed over at the end.
Jack is an IT Technical Engineer based in the UK, working day-to-day with Microsoft 365, Intune, and Entra ID across a range of businesses. He holds the MS-900 certification and is studying for a BSc in Cyber Security through the Open University. Outside of work he builds and documents home lab projects, writes guides on this site, and takes on M365 consulting work for small businesses.