ππͺπ» UR β Production
What this ring is for π’β
The default ring. Roughly 70 to 80% of devices live here. By the time an update reaches Production it has been through Fast and Pre-Release, seen two patch cycles of upstream signal, and either survived or been quietly pulled by Microsoft. So Production gets the boring patches. Which is the point. π
Production updates are slower, quieter, and less interactive than the upper rings. Notifications are minimized. The pause button is removed. Deadlines stretch into full work weeks. This is the cohort the helpdesk does not want to hear from.
Production is also the rollback target for the upper rings. When a device leaves Fast or Pre-Release (role change, person leaves, whatever), it falls into Production via the All-Devices default. Production then writes its values over whatever the upper ring tattooed. No reset policy, no transitional state, no drama. The ring set handles itself. πͺ
Why this matters πβ
Production is where two opposing forces meet: security needs the patch fast, the business needs the patch to not break anything. The upstream rings absorb the "does this thing break stuff" risk, so by the time Production receives the update, that question is already answered. What Production gets is mostly the "we're patched against the CVE" half of the deal, with the breakage half de-risked.
Don't push Production deferrals past 14 days for quality updates. Past that you're sitting on known CVEs longer than any cyberinsurer wants to read about during an incident postmortem. 14-day quality / 30-day feature is the slowest you can credibly run for an MKB tenant that wants their cyber-coverage premiums to stay sane. πΈ
π οΈ Configuration Settingsβ
All settings under Settings Catalog β Windows Update (CSP: ./Vendor/MSFT/Policy/Config/Update/*). Device scope.
Update servicingβ
| Setting | Value | Why |
|---|---|---|
Microsoft product updates (AllowMUUpdateService) | Allow | Same servicing scope as the other rings. |
Windows drivers (ExcludeWUDriversInQualityUpdate) | Block | Drivers via the dedicated profile. |
Enable pre-release builds (BranchReadinessLevel) | Not configured | GA channel only. |
| Upgrade Windows 10 devices to latest Windows 11 release | No | Production is not the right place to surprise users with a major version upgrade. Handle Win11 upgrade campaigns explicitly per tenant, with comms. |
Deferralβ
| Setting | Value | Why |
|---|---|---|
Quality update deferral period (days) (DeferQualityUpdatesPeriodInDays) | 14 | Two full patch-cycle weeks of upstream signal. Past 14 days crosses into "you're sitting on known CVEs longer than your cyberinsurer is comfortable with." |
Feature update deferral period (days) (DeferFeatureUpdatesPeriodInDays) | 30 | One full month of community plus upper-ring signal before Production touches a feature update. |
Set feature update uninstall period (ConfigureFeatureUpdateUninstallPeriod) | 30 | Same uninstall window across rings. |
Install and restart behaviorβ
| Setting | Value | Why |
|---|---|---|
Automatic update behavior (AllowAutoUpdate) | Auto install and restart at maintenance time | Same shape as the upper rings. |
| Active hours start | 07:00 | |
| Active hours end | 19:00 |
Deadlinesβ
| Setting | Value | Why |
|---|---|---|
| Use deadline settings | Allow | |
Deadline for quality updates (ConfigureDeadlineForQualityUpdates) | 7 days | A full work week to install. Combined with the 14-day deferral, that's three weeks of total runway from Patch Tuesday. |
Deadline for feature updates (ConfigureDeadlineForFeatureUpdates) | 7 days | Same workweek deadline. Feature updates already have a 30-day deferral on top. |
Grace period (ConfigureDeadlineGracePeriod) | 2 days | Two days of grace after the deadline. |
Auto reboot before deadline (ConfigureDeadlineNoAutoReboot) | Yes (reboot before deadline) | Out-of-hours reboot is preferred. |
User experienceβ
| Setting | Value | Why |
|---|---|---|
Option to pause Windows updates (SetDisablePauseUXAccess) | Disable | Production users pausing turns into "stuck at N-3 cumulative updates forever." Remove the button. They will not miss it. π« |
Option to check for Windows updates (SetDisableUXWUAccess) | Enable | Letting users check manually is fine. Reduces tickets when someone wants to install ahead of schedule. |
Change notification update level (UpdateNotificationLevel) | Turn off all notifications, excluding restart warnings | Production users do not need a popup for every cumulative update. Restart warnings stay, because those are actually actionable. |
Caveats β οΈβ
License fit. Settings Catalog on Windows 11 Pro/Business with M365 Business Premium. No tier-up needed.
Default assignment philosophy. Production assigns to All Devices, with the upper rings excluded. A device that isn't explicitly placed in Fast or Pre-Release lands here by default. Means nothing slips through a group-membership oversight. Belt and suspenders. πͺ’
Pause disabled is intentional. Removing pause access on Production is the single most helpdesk-saving setting in the whole strategy. It also means a user who genuinely needs to pause (away from base on a critical demo, traveling, mid-presentation) has no escape hatch. They need to be moved to Pre-Release temporarily, which is a deliberate action with a paper trail. That trade is absolutely worth it.
24/7 devices (signage, hospital displays, transport kiosks, anything with no out-of-hours window) have their own ring: ππͺπ» UR β Always-On (24/7). Always-On installs updates silently but leaves the restart to a human, coordinated via a maintenance window. Don't blanket-exclude 24/7 devices from updates. Put them in Always-On instead. Most MKB tenants will have zero devices in Always-On. Some hospitality, healthcare, signage-heavy tenants will have a handful. Either way, the architecture is in place.
Reversibility. Every Production setting tattoos. Because the four rings are symmetric (same settings, different values), any device that moves into Production gets its previous ring's tattoo overwritten by Production values on next refresh. A device leaving Production entirely (decommissioning) keeps the Production values tattooed forever, which is irrelevant because MDM is going away anyway. There's no "leaving Production back to unmanaged" use case in normal operation.
Promotion path. When a device comes out of Fast or Pre-Release (role change, person leaves, whatever):
- Remove from the upper-ring group
- Device falls into Production via the All-Devices default
- Next configuration refresh: Production policy applies and overwrites the upper ring's tattooed values
No exemption group. No reset policy. No transitional state. The ring set handles itself. π―
π‘ SuperVision tipβ
Baseline policy. Golden Master β Windows β Windows Updates β Update Rings β Production. Assigned to All Devices with the three other ring groups (Fast, Pre-Release, Always-On) excluded so a device on those rings doesn't double-apply Production deferrals. Kiosks, IoT, and W365 Boot devices are not excluded. They need security patches like everything else, and they get them via Production by default. See the 24/7 caveat above for the genuine exception (Always-On ring).
Tag candidates: none. Production deferral, deadline, and notification settings are baseline policy, not tenant preferences.
Drift detection. Higher priority than Fast and Pre-Release because the cohort is the whole fleet. The most common drift cause is the pause-access setting flipping back on after a Windows feature update reshuffles the Settings UI. Check quarterly. Alarm if it flips.
Multi-tenant scaling. Identical across every tenant. Production is the most uniform of the four rings precisely because it's the default. Variance lives in the upper rings.
π₯ Group Assignmentsβ
β Included groups:β
All Devices
β Excluded groups:β
- π‘οΈπͺπ»ππGroup - Update Ring β Fast (Early Access)
- π‘οΈπͺπ»ππGroup - Update Ring β Pre-Release (Acceptance)
- π‘οΈπͺπ»ππGroup - Update Ring β Always-On (24/7)
Why? Production is the default ring. The only exclusions are the other ring cohorts (Fast, Pre-Release, Always-On). Every other device, including kiosks, IoT, signage, W365 Boot clients, lives here. Those devices still need security patches; they just get them on Production's slower cadence and out-of-hours restart window. Pre-excluding device classes from update management is a worse-security posture, not a better-operational one.
Standardize like a pro. Configure with intent. And remember: the goal of Production isn't to be slow. It's to be quiet. π€«