Topic Hub
Patch Management
WSUS, Windows Update for Business, and Intune update rings — operational guidance for keeping enterprise Windows endpoints current and secure without breaking production.
Guides, scripts and analysis
Overview
What Patch Management Covers
Enterprise patch management is more than approving updates. It involves delivery infrastructure, ring strategy, compliance tracking, rollback planning, and integration with endpoint management tooling.
Update delivery infrastructure
WSUS server configuration, GPO targeting, bandwidth throttling, update category selection, and approval workflows for on-premises and hybrid environments.
Windows Update for Business
Deferral policies via GPO or MDM CSP, quality and feature update separation, safeguard holds, and WUfB Reports integration for cloud-managed fleets.
Intune update rings
Ring-based deployment policy configuration in Intune, quality update deferrals, deadline enforcement, and Windows Autopatch for fully managed update operations.
Patch ring design
Defining pilot, early adopter, broad, and production rings — sizing each appropriately, setting deferral windows, and sequencing rollout to catch regressions before they reach the whole fleet.
Compliance reporting
Identifying devices missing critical updates via WSUS console, Intune compliance blade, WUfB Reports, or PowerShell queries against the Update Agent COM API.
Rollback and recovery
Pausing WUfB rings, uninstalling specific KBs via DISM or wusa.exe, safeguard hold awareness, and handling patch-induced regressions like BitLocker recovery loops.
Delivery models
WSUS vs Windows Update for Business vs Intune Update Rings
Each model suits a different architecture. Most enterprise environments run two in parallel — typically WSUS for servers and WUfB or Intune rings for workstations.
On-premises / Hybrid
WSUS
- Best for
- Large estates with bandwidth constraints, air-gapped networks, or a requirement for per-KB approval before deployment
- Ring config
- GPO targets pointing clients to a WSUS server; approval workflow per update category
- Deferral granularity
- Controlled by approval timing — approve when ready to deploy, defer by not approving
- Reporting
- WSUS console, custom SQL against the WSUS database, or Get-PatchComplianceReport
- Watch out for
- WSUS cleanup debt, large WsusContent directories, and client registry stale pointing to decommed WSUS servers
Cloud / Hybrid
Windows Update for Business
- Best for
- Eliminating WSUS infrastructure for workstations while retaining ring-based deferral control
- Ring config
- GPO (Update/DeferQualityUpdatesPeriodInDays) or Intune CSP; separate settings for quality and feature updates
- Deferral granularity
- Day-level deferral for quality updates (0–30 days) and feature updates (0–365 days); no per-KB control
- Reporting
- WUfB Reports (Azure Monitor workbook), Windows Autopatch reporting, or Graph API queries
- Watch out for
- Conflicting WSUS GPOs on hybrid-joined devices; consumer update settings from Microsoft accounts overriding deferral
Cloud-managed
Intune Update Rings
- Best for
- Intune-managed fleets where patch policy lives alongside device configuration and compliance in a single pane
- Ring config
- Intune Devices → Update rings for Windows 10 and later; quality update deferral, deadlines, and active hours per ring
- Deferral granularity
- Day-level deferral plus deadline enforcement and grace period; Windows Autopatch automates ring progression
- Reporting
- Intune Update compliance blade, per-device policy status, and Export-IntuneDeviceReport for inventory cross-reference
- Watch out for
- GPO and Intune policy conflicts on hybrid-joined devices; ensure only one management authority controls Windows Update settings
For the current release window, use the May 2026 Patch Tuesday admin deployment notes before approving KBs across Windows Update for Business, WSUS, Intune, Autopatch, and Configuration Manager.
Latest News
May 2026 Patch Tuesday: admin deployment notes and checks
May 2026 Patch Tuesday deployment notes covering KB5089549 for Windows 11, Windows Server updates, BitLocker PCR7 known issue, Secure Boot certificate readiness, Intune Autopatch hotpatch, and WSUS deployment checks.
13 May 2026
April 2026 Patch Tuesday Breakdown – What Sysadmins Must Do This Month
Three zero-days confirmed exploited in the wild, plus KB5055523 fixes the Autopilot OOBE timeout regression on Dell and HP hardware that has been blocking zero-touch deployments for six weeks. Prioritise this month.
Apr 8, 2026
Ring strategy
Recommended Patch Ring Structure
Four rings cover most enterprise fleet sizes. Adjust sizing to fit your environment — the key constraint is that each ring must be large enough to reliably surface regressions before the next ring deploys.
| Ring | Typical size | Quality update deferral | Target devices | Monitoring focus |
|---|---|---|---|---|
| Ring 0 — Pilot | 2–5% | 0 days | IT staff, sysadmin workstations, lab machines | Application crashes, driver conflicts, known-bad KBs from MSRC |
| Ring 1 — Early Adopters | 10–15% | 7 days | Technically confident users, dev/test machines, volunteers | LOB app compatibility, BitLocker PCR state, boot time regressions |
| Ring 2 — Broad Phase 1 | 35–40% | 14 days | Standard workforce, geographically mixed sample | Helpdesk ticket volume, WER reports, compliance delta vs. previous ring |
| Ring 3 — Production | 40–50% | 21 days | Remaining fleet, including VDI base images and shift workers | Final patch lag report, deadline compliance, any held devices |
For Intune-managed fleets, map each ring to an Entra ID device group and assign a corresponding Intune update ring policy. For WUfB via GPO, use a separate OU or security group filter per ring.
Deep-Dive Tutorials
Secure Boot CA 2023 Rollout Readiness for Enterprise Windows Fleets
A practical enterprise readiness guide for the Secure Boot CA 2023 rollout, covering 2026 certificate expirations, client and server differences, Intune readiness checks, PowerShell verification, registry and event evidence, BitLocker risk, Hyper-V Generation 2 VMs, firmware coordination, rollout rings, and recovery planning.
24 min read · Advanced
Deploy Windows 11 25H2 with Intune + Autopilot v2 (Zero-Touch, Production-Ready)
A production-grade walkthrough for deploying Windows 11 25H2 across existing x86/x64 fleets using Autopilot v2 Device Preparation policies. Covers tenant readiness, ESP configuration, app tiering, update rings, a phased rollout sequence, and a PowerShell pre-flight toolkit.
28 min read · Advanced
Hardening Windows 11 Endpoints with CIS Benchmark Level 1
Apply the CIS Level 1 benchmark to Windows 11 22H2 and 24H2 endpoints using Group Policy, Intune profiles, and a validation script that reports compliance gaps.
20 min read · Advanced
Group Policy Troubleshooting with RSoP, gpresult, and Policy Scope Analysis
A practical troubleshooting methodology for Group Policy: reading RSoP, interpreting gpresult /h output, diagnosing WMI filter failures, and resolving OUlinking conflicts.
12 min read · Beginner
Scripts & Automation
Get-StaleDevices
Identifies devices inactive for a configurable threshold across Intune, Entra ID, and on-premises Active Directory. Outputs CSV and HTML reports with remediation actions.
PowerShell
Get-PatchComplianceReport
Queries WSUS or Windows Update for Business status via WMI and Graph API. Produces a per-device patch lag report with severity breakdown and exportable HTML dashboard.
PowerShell
Export-IntuneDeviceReport
Uses the Microsoft Graph API to export a full Intune device inventory including compliance state, OS version, last check-in, and primary user to CSV or JSON.
PowerShell
Compliance
Monitoring and Compliance Checks
Patch compliance is only visible if you are actively querying it. These are the primary data sources and queries used in production environments.
Intune — Update compliance blade
Navigate to Devices → Monitor → Feature update failures or Quality update compliance. Shows per-device status, last scan time, and pending updates. Filter by OS version or ring assignment group.
WUfB Reports (Azure Monitor)
The Windows Update for Business Reports workbook in Azure Monitor shows fleet-wide update status with device-level drill-down. Requires diagnostic data at Enhanced or Full level and the UCClient tables populated in Log Analytics.
WSUS console
Computers → [target group] → Update Status shows approved vs. installed vs. failed counts. The "Updates needing approval" view is the fastest way to find KBs blocked at the approval stage.
Get-PatchComplianceReport script
Queries the local Windows Update Agent via COM API or WSUS WMI to produce a per-device patch lag report with severity breakdown. Useful for scheduled compliance email reports.
Event log
Microsoft-Windows-WindowsUpdateClient/Operational logs every update evaluation, download, install, and failure. Event ID 19 = update successfully installed. Event ID 20 = installation failure. Filter by event source on domain controllers or critical servers.
Graph API (Intune-enrolled devices)
GET /deviceManagement/managedDevices?$select=deviceName,osVersion,complianceState,lastSyncDateTime returns OS version and compliance state for each enrolled device. Combine with Export-IntuneDeviceReport for exportable baselines.
Troubleshooting
Windows Update for Business Deferral Policy Not Applying in Intune: Practical Diagnosis
A practical diagnostic guide for Windows Update for Business deferrals that are ignored, overwritten, or blocked by feature update policies, quality update policies, Group Policy, WSUS, MECM, or co-management.
18 min read · Intermediate
Fixing the April 2026 BitLocker Recovery Loop (KB5082063 Secure Boot Issue)
KB5082063 rotates the Windows UEFI CA certificates, breaking PCR7 binding on Dell and Lenovo hardware and triggering BitLocker recovery loops fleet-wide. Here is how to stop it before it hits your next patch ring — and recover devices that are already stuck.
10 min read · Intermediate
Common problems
Where Patch Management Goes Wrong
Most patch management failures fall into a small set of repeating patterns. These are the ones most likely to appear in your environment.
WUfB deferral settings ignored
A WSUS-targeting GPO on a hybrid-joined device overrides WUfB deferral CSP settings. A Microsoft account signed into Windows can also trigger consumer update policies that bypass corporate deferral. See the WUfB deferral troubleshooting guide.
WSUS clients not reporting
Clients pointing at a WSUS server that has been decommissioned, renamed, or is behind a firewall rule that has changed. Check the registry key HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer and confirm the server is reachable.
Update ring too thin to catch regressions
A pilot ring of 5 devices across a fleet of 2,000 will statistically miss most application compatibility issues. Size Ring 0 to cover your full spread of hardware models, OS builds, and critical application profiles.
Quality update deferral bypassed by feature update
The quality update deferral setting and the feature update deferral setting are separate. A device can be deferring quality updates correctly while receiving a feature update because the feature update policy has a shorter deferral or is unset.
Patch triggers BitLocker recovery loop
Cumulative updates that include UEFI CA certificate rotations or Secure Boot database changes can break PCR7 binding on specific Dell and Lenovo hardware, placing devices into BitLocker recovery. Suspend BitLocker before deploying suspected updates to pilot ring first.
WSUS approval backlog
In automatic approval rule environments, a misconfigured rule stops approving updates — often after a WSUS server OS upgrade or a service account password rotation. The WSUS console shows updates accumulating in "Any Except Declined" without entering "Approved."
Dual management conflict (GPO + Intune)
Hybrid-joined devices with both a WSUS-targeting GPO and an Intune update ring policy will behave unpredictably. Microsoft's guidance is to use one management authority for Windows Update settings. Audit with gpresult /H and the Intune device policy status page.
No rollback plan for critical KBs
KB uninstall via DISM or wusa.exe is not always available — some updates are non-removable once installed. Identify these before deployment, test on a snapshot or lab VM, and know which updates can and cannot be rolled back.
Rollback
Rollback and Recovery Considerations
Pausing WUfB rings
In the Intune portal: Devices → Update rings → select ring → Pause. This pauses quality updates for up to 35 days. For GPO-managed WUfB, set Update/PauseQualityUpdates to 1 and set the pause start date.
Uninstalling a specific KB
Run wusa.exe /uninstall /kb:XXXXXXX /quiet /norestart or DISM /Online /Remove-Package /PackageName:Package_for_KBXXXXXXX~.... Not all KBs are removable — check with DISM /Online /Get-Packages first.
WSUS update decline
In the WSUS console: Updates → right-click the update → Decline. This prevents further distribution to clients but does not uninstall from devices that have already received it.
Safeguard holds
Microsoft can place a safeguard hold on a specific hardware or software configuration to prevent feature update delivery when a known incompatibility exists. These are not visible in WSUS; check the Windows Update Health Tools or WUfB Reports.
BitLocker and patches
Some patches (particularly those touching Secure Boot or UEFI certificates) can trigger BitLocker recovery loops on specific hardware. Suspend BitLocker for one reboot before deploying suspected high-risk patches to your pilot ring.
VDI base image refresh
Non-persistent VDI images need the patch applied at the golden image level. Patch the base image, seal it, and re-publish before the patch deadline. Persistent desktops patch like physical endpoints.