Managing Update Rings and the Shift from Windows 10 to 11: Lessons from the Field

Written By Kenneth Mathias

When managing Windows updates at scale, there’s a lot that can go wrong if the right structure isn’t in place. Over the last few years, we’ve helped businesses build solid Intune environments — and one area that often trips teams up is managing Update Rings, Feature Updates, and the move to Windows 11.

Here’s what’s worth knowing, and how we usually approach it.

Update Rings in Intune – Why They Matter

At a glance, Update Rings are simple — they define how and when Windows updates are applied to your devices. But in practice, they’re a key part of your update governance.

A few lessons we've learned:

  • You need at least three rings:

    • Pilot – for IT or early adopters.

    • Fast – for a small slice of production.

    • Broad – the rest of your production fleet.

  • Delays and deferrals should be used strategically — not to avoid updates, but to create breathing space for testing.

  • User experience matters. Forced reboots without proper communication can undo months of good work.

Update Rings are powerful, but they’re only one part of the picture.

Where Windows Autopatch Fits In

For organisations using eligible Microsoft 365 licenses (Windows E3/E5), Windows Autopatch can take some of the manual effort out of patching. It automatically manages Windows quality and feature updates, Microsoft 365 apps, Microsoft Edge, and Teams.

It’s a solid option for businesses that want to standardise update delivery without building their own scheduling, rings, and testing process.

That said, it’s not completely hands-off.

Here’s what to keep in mind:

  • Device grouping still matters: Autopatch uses pre-defined rings (Test, First, Fast, Broad), and you'll need to assign devices correctly via Azure AD groups. If you get that wrong, updates may hit the wrong users at the wrong time.

  • Rollback and control: Autopatch handles detection and rollback of failed updates, but not every scenario is caught. You still need monitoring in place, especially for business-critical devices.

  • Feature updates still need planning: Autopatch can delay feature updates for up to 60 days, but it won’t account for your internal application testing or user training needs unless you build that into your ring strategy.

In short: Autopatch helps, especially for mid-sized organisations without a dedicated endpoint team — but it's not a replacement for having a clear update strategy. Think of it as an automation layer, not autopilot.

The Problem with Feature Updates

Where Update Rings handle monthly patches, Feature Updates control major version jumps — think 21H2 to 22H2, or Windows 10 to 11. This is where things can get messy.

Some common issues we see:

  • Unintended upgrades: If you don’t pin a feature version, Intune will eventually nudge the device forward — often at the worst possible time.

  • Overlapping policy logic: If Feature Update policies conflict with Update Rings or Delivery Optimisation settings, updates may fail silently or get stuck.

  • Staging and timing: There’s a gap between when Microsoft releases a version and when your environment is ready for it — especially in regulated industries or where legacy apps are involved.

In short, don’t assume Feature Updates are handled just because you’ve set up rings. They're managed separately — and deserve their own planning.

Migrating from Windows 10 to 11 – It’s Not a Typical Upgrade

For many organisations, the move to Windows 11 brings a hardware refresh, a new interface, and different requirements for drivers, apps, and end-user support.

Here’s how we usually approach it:

  • Readiness first: Not all hardware is eligible, and not all users are ready. Use reporting tools (like Endpoint analytics or custom device queries) to assess what you’re working with.

  • Staged rollout: Start small — IT and early adopters first — before moving to wider groups.

  • Real-world testing: Lab environments help, but testing on real devices with real users is what surfaces the actual issues.

  • Clear communication: If the UI changes or workflows are different, tell users ahead of time. Most problems during OS upgrades are avoidable with good change management.

Final Thoughts

Updates aren’t just a background process. They're a visible part of how users experience your IT — and how secure and stable your environment really is.

At Endpoint Craft, we help teams build structure around updates — from policy design and rollout plans to update reporting and exception handling. Whether you’re staying on Windows 10 for now or making the move to Windows 11, the goal is the same: make updates predictable, safe, and as invisible as possible.

How We Can Help

Whether you're building out your update strategy from scratch or untangling a setup that’s grown messy over time, we can step in with the clarity and structure you need.

At Endpoint Craft, we’ve supported organisations through:

  • Update Ring Design – Structuring pilot, fast, and broad rings that match real-world business needs.

  • Feature Update Control – Pinning specific Windows versions to avoid surprises and giving teams time to test before rollout.

  • Windows 11 Migration – Assessing device readiness, creating phased deployment plans, and ensuring end-user impact is minimal.

  • Autopatch Readiness and Implementation – Helping you decide if Autopatch is the right fit, and configuring it correctly if it is.

  • Reporting - Leverage Power Bi to create visual reports that help your team stay on top of your system patching.

We focus on practical solutions — no unnecessary complexity, just policies and processes that work, backed by real testing and monitoring.

Kenneth Mathias
Previous

Ditch DIY IT