ππͺπ» UR β Fast (Early Access)
What this ring is for πβ
This is your canary cohort. A small, technically-literate crew of devices that take Microsoft's updates a few days ahead of everyone else, so when something breaks it breaks on them first. Not on payroll. Not on the CFO's laptop the morning of the board meeting.
A common mistake is setting Fast to "zero deferral". Don't. Microsoft itself pulls bad patches in the first 24 to 48 hours after release. Zero deferral means your canaries catch every single one of those known-bad updates with the rest of the fleet hot on their heels. A 2-day quality buffer dodges the headline-grade rollbacks while still giving you a clear week of head start on Production. That's the actual job.
Devices live in exactly one ring at a time. When you pull a device out of Fast, it lands in Production via the All-Devices default. Production then rewrites the tattooed values on the next sync. The next ring is the reset. No special inverse policy needed. πͺ
Why this matters πβ
Picture Patch Tuesday without a Fast ring. Microsoft ships, every single device in your tenant grabs the update on the same day, and if there's a regression, your entire fleet meets it together. So does your helpdesk. So does your weekend.
With a Fast ring you get:
- A handful of IT and power users who notice things going sideways early
- A few days of real-world signal before the broader rollout
- Time for Pre-Release to validate that signal against the actual hardware mix
- Production updates that arrive with two patch cycles of upstream confidence behind them
Size the cohort at 5 to 10% of the fleet. Smaller and you don't catch device-specific issues (you just have IT laptops, which are not representative). Bigger and you've quietly built a second Production ring nobody is actually monitoring. The point is attention, not coverage. π
π οΈ Configuration Settingsβ
All settings live under the Settings Catalog β Windows Update category (CSP: ./Vendor/MSFT/Policy/Config/Update/*). Device scope.
Update servicingβ
| Setting | Value | Why |
|---|---|---|
Microsoft product updates (AllowMUUpdateService) | Allow | Scan and patch Office runtime, .NET, Visual C++ redistributables alongside Windows. The single most-skipped setting in the entire catalog, and you absolutely want it on. |
Windows drivers (ExcludeWUDriversInQualityUpdate) | Block | Drivers belong to the dedicated Driver Update profile, not this ring. Blocking here stops a Realtek update from cannonballing into your managed driver flow at 11pm on a Tuesday. |
Enable pre-release builds (BranchReadinessLevel) | Not configured | Stay on the GA channel with a short deferral. Do not set this to Beta or Dev or Release Preview. That moves the device into the Windows Insider Program, which is a completely different rollout train aimed at unreleased Windows builds. Fast ring β Insider ring. |
| Upgrade Windows 10 devices to latest Windows 11 release | Yes | If there's still a Win10 holdout on the tenant in 2026, the Fast cohort is the right place to nudge it forward. |
Deferralβ
| Setting | Value | Why |
|---|---|---|
Quality update deferral period (days) (DeferQualityUpdatesPeriodInDays) | 2 | Dodges the first-48h pull-back window without giving up the early-warning role. |
Feature update deferral period (days) (DeferFeatureUpdatesPeriodInDays) | 7 | One week of community signal before Fast pulls a feature update. |
Set feature update uninstall period (ConfigureFeatureUpdateUninstallPeriod) | 30 | The default of 10 days is too tight to catch app-compat regressions that surface weeks later. |
Install and restart behaviorβ
| Setting | Value | Why |
|---|---|---|
Automatic update behavior (AllowAutoUpdate) | Auto install and restart at maintenance time | Standard behavior across all rings. What changes between rings is when, not how. |
| Active hours start | 07:00 | One-hour buffer before the standard workday. |
| Active hours end | 19:00 | Covers evening overflow without making restarts impossible. |
Deadlinesβ
| Setting | Value | Why |
|---|---|---|
| Use deadline settings | Allow | Without a deadline, the deferral is a suggestion and the user is the one running your security posture. |
Deadline for quality updates (ConfigureDeadlineForQualityUpdates) | 3 days | Fast users are technical and can absorb a short deadline. The whole testing role depends on the patch actually installing. |
Deadline for feature updates (ConfigureDeadlineForFeatureUpdates) | 5 days | Fast feedback loop on feature updates. Max permitted is 30, but anything over a week defeats the purpose. |
Grace period (ConfigureDeadlineGracePeriod) | 2 days | Two days of "one more reschedule please" after the deadline. |
Auto reboot before deadline (ConfigureDeadlineNoAutoReboot) | Yes (reboot before deadline) | Lets the device reboot out of hours on its own before forcing the issue interactively. |
User experienceβ
| Setting | Value | Why |
|---|---|---|
Option to pause Windows updates (SetDisablePauseUXAccess) | Enable | Fast users are technical. If a known-bad update is mid-rollout and they need to pause for a day, let them. They'll thank you. |
Option to check for Windows updates (SetDisableUXWUAccess) | Enable | Letting users hit "Check for updates" is harmless and reduces tickets. |
Change notification update level (UpdateNotificationLevel) | Default | Fast users want to see what's happening. Hiding notifications from your canaries is silly. |
Caveats β οΈβ
License fit. Settings Catalog β Windows Update profile runs on Windows 11 Pro/Business with M365 Business Premium. No tier-up needed. Driver Update profiles (the doc that companions this ring) also work on Pro/Business.
Hotpatch is not for you here. The headline 2025/26 Update feature is restart-free quality patching ("hotpatch"). It requires Windows 11 Enterprise 24H2 with VBS. Pro and Business cannot use it. This ring runs traditional restart-required updates. Sorry. π
Insider Program is NOT this ring. Worth repeating because this is a popular trap. The Windows Insider Program (Dev / Beta / Release Preview channels) is a separate rollout train for unreleased Windows builds. It is not "earlier GA patches". Do not set BranchReadinessLevel to Insider values just because the word "Fast" sounds similar. You will get Microsoft's preview bits, not earlier security patches, and your canary cohort will be testing things that may never ship. π
Reversibility, handled by the next ring. Almost every setting here writes to the Windows Update CSP, and those values tattoo. Microsoft Learn says it bluntly for DeferQualityUpdates: "Setting this policy back to 0 or Not configured doesn't revert the configuration."
Normally that means a paired inverse policy. The Update Ring strategy handles it differently. The three rings are symmetric: every setting in Fast also lives in Pre-Release and Production with their own explicit values. Move a device between rings and the new ring's policy overwrites the previous tattoo on next refresh. No reset policy needed, because the next ring is the reset. π―
The only case this doesn't cover is a device that needs to live outside any ring with no managed update behavior at all. That's a decommissioning scenario where MDM is being torn down anyway, so the tattoo no longer matters. Don't build a transitional "reset" policy for the case where the device is already leaving management.
Pause is binary in policy, not a duration. SetDisablePauseUXAccess only controls whether the user can pause from the Settings UI. The 35-day max that shows up in Settings is a Windows hard limit, not something this policy configures. People get this wrong constantly.
π‘ SuperVision tipβ
Baseline policy. Lives in the Golden Master under Windows β Windows Updates β Update Rings β Fast (Early Access), assigned to π‘οΈπͺπ»ππGroup - Update Ring β Fast (Early Access) and nothing else.
Tag candidates: none. Deferral numbers, deadlines, and pause behavior are ring identity, not tenant preferences. A Fast ring that lets one tenant override its deferral matrix is no longer a Fast ring. It's a Fast-ish ring. Which is no ring at all.
No exception group. Devices leaving Fast move into Pre-Release or Production via group membership change. The receiving ring's policy overwrites the tattooed values cleanly. The traditional "exemption group + paired inverse" pattern doesn't apply here because the ring set itself provides the rollback path. Less stuff to maintain. π§Ή
Drift detection. Quarterly check on a sample. The values most likely to drift are the deferral days, because helpdesk scripts and Group Policy remnants from older MDM setups love flipping them.
Multi-tenant scaling. Policy is identical across customers. The variable is who's in the included group per tenant. 5 to 10% of the fleet, capped at whatever the MSP can actually triage in a week. A Fast ring of 200 devices nobody is watching is just a faster way to break 200 devices. π₯
π₯ Group Assignmentsβ
β Included groups:β
β Excluded groups:β
None. Fast is opt-in via group membership. If a device is in the group, it's in this ring.
Standardize like a pro. Configure with intent. And never roll out a major Windows update on a Friday afternoon. Ever. π