To achieve some form of Development Test Acceptance Production (DTAP) process in Intune we like to use deployment rings to manage this. In this post, I will go through how to approach this.

Deployment Rings

Within the Modern Workplace environments, we provide to our customers, we have the concept of Deployment Rings. These deployment rings define the order in which we will deploy updates or policies to the environment. Currently, 3 deployment rings are determined to get a DTP process. Because we use an assignment of policies to users only, take in mind that these deployment rings can be created with device groups as well.

• Deployment Ring 1, everyone with an IT-related function
• Deployment Ring 2, a representative set of end users working within the business
• Deployment Ring 3 (contains everyone)

We like to use standard deployment rings with specific release moments:

  • Deployment Ring 1 receives the deployment immediately.
  • Deployment Ring 2 receives the deployment after 7 days, only when Ring 1 accepts it.
  • Deployment Ring 3 receives the deployment after 14 days, only when Ring 2 accepts it.

To get this working create 3 security groups: Ring1, Ring2, and Ring3 (where every user is a member of Ring3). How this all is going to work out will be in the following chapters.

deployment rings

Windows update in rings

Let’s take the installation of Windows Updates, these use the deployment rings (which align with MS best practices). We will take the basis of the deployment rings, but we add quality and feature updates to the deployment rings:

  • Deployment Ring 1 receives both the monthly quality and yearly feature updates provided by Microsoft on the day that they are released
  • Deployment Ring 2 receives the quality update after 3 days and the feature update after 7 days
  • Deployment Ring 3 receives the quality update after 7 days and the feature update after 14 days
deployment rings windows update

How does this look inside the policy for deployment ring 1:

Deployment ring 1

This policy will be assigned to the security group Ring1 which everyone with IT-related functions is a member of.

How does this look inside the policy for deployment ring 2:

deployment ring 3

This policy will be assigned to the security group Ring2 which a representative set of end users are a member of.

How does this look inside the policy for deployment ring 3:

This policy will be assigned to the security group Ring3 which everyone is a member.

Policies in rings

For configuration policies, we also want to create deployment rings because we are working in a production environment. We have to take into account that we have a lot of different devices and users, if we need to change anything there could be an outage in some form. Therefore we created a policy assignment and naming convention to set them to Rings as well.

First, we have to explain how we like to create policies and then specify how we use a naming convention for this. Let’s use a policy like an Edge start page, it can always happen that the company wants to change the page Edge starts up with and that you want to develop and test it before going into production.

That’s why I like to use a naming convention with versioning. On every change how little it is we are going to create a new policy with a version number and test it out. So how will this look if we look at the naming convention?

Naming Convention


  • WIN = Windows
  • USR = User-targeted policy
  • Description = Short description of the policy
  • v.x.x = version of the policy.

Example: WIN-USR-Edge start page-v.0.9

Setting rings to the policy

When testing the new policy we have to do a couple of things because we don’t want to target the Ring3 users but only the users we want to target for the first ring.

Include the Ring1 group in the new policy and exclude Ring2 and Ring3.

deployment rings

After positive feedback from the testing of 7 days, we can include Ring1 and Ring2 and exclude Ring3. After thorough testing over a total of 14 days, we can include only Ring to set the policy to all users. Small sidenote here because it is always possible to do it quicker but these are the standard numbers we like to use when going for a bigger change.

Edge update deployment rings

We want to create deployment rings for the Edge updates, this is done top create an stable modern workplace environment for our users. We are using the following settings for Edge update:

  • Stable channel for Ring 1 and Ring 2
  • Extended stable for our Ring 3 users
Edge update

How to configure this can be found here

Conclusion deployment rings

As we can see almost everything in Intune can be created with deployment rings from Windows updates to configuration policies. We can also create these steps for script, applications and everything in around Intune. Therefore we can do large changes to our customer environments with ease and no hazzle.

2 thoughts on “Deployment rings for everything in Intune”

Comments are closed.