Anavem
EnglishFrancais
Anavem
Languagefr
How to Configure Maintenance Windows in Microsoft Intune for Update Control

How to Configure Maintenance Windows in Microsoft Intune for Update Control

Set up scheduled maintenance windows in Microsoft Intune to control when Windows updates install and restart devices, preventing disruptions during business hours while maintaining security compliance.

April 25, 2026 12 min
mediumintune 8 steps 12 min

Why Configure Maintenance Windows in Microsoft Intune?

Managing Windows updates across an enterprise presents a constant challenge: balancing security requirements with user productivity. Uncontrolled updates can disrupt critical work, force unexpected restarts during presentations, or interrupt long-running processes. Microsoft Intune's maintenance windows feature provides the solution by giving administrators precise control over when updates install and when devices restart.

How Do Maintenance Windows Improve Update Management?

Maintenance windows in Intune leverage the Windows Update CSP (Configuration Service Provider) to enforce scheduled installation and restart times for Windows updates, including quality updates, feature updates, and driver updates. Unlike the softer "active hours" approach that merely suggests when not to restart, maintenance windows provide hard enforcement of update timing. This feature became fully available in Windows 11 24H2 and represents a significant improvement in enterprise update control.

What Makes Intune Maintenance Windows Different from SCCM?

While System Center Configuration Manager (SCCM) has offered maintenance windows for years, Intune's implementation focuses specifically on Windows Update management through cloud-based policies. Intune maintenance windows integrate seamlessly with Windows Update for Business settings and provide centralized control without requiring on-premises infrastructure. The feature supports various recurrence patterns (daily, weekly, monthly) and can be combined with update rings for comprehensive update governance.

This tutorial will walk you through configuring maintenance windows using both the native Intune Settings catalog interface and advanced OMA-URI configurations for granular control. You'll learn to balance security compliance with operational requirements while ensuring updates install reliably during planned maintenance periods.

Implementation Guide

Full Procedure

01

Access the Intune Admin Center and Create Configuration Policy

Start by logging into the Microsoft Intune admin center and creating a new configuration policy specifically for maintenance windows.

Open your browser and navigate to endpoint.microsoft.com. Sign in with your admin credentials. Once logged in, navigate to Devices > Manage devices > Configuration. Click Create and select New policy.

In the policy creation wizard, select:

  • Platform: Windows 10 and later
  • Profile type: Settings catalog

Click Create to proceed to the next step.

Pro tip: Use descriptive naming conventions like "MW-Updates-NonBusinessHours" to easily identify maintenance window policies later.

Verification: You should see the policy creation wizard with the Settings catalog option selected and ready for configuration.

02

Configure Basic Policy Information and Search for Maintenance Window Settings

Now configure the basic policy details and locate the maintenance window settings within the Settings catalog.

In the Basics tab, provide the following information:

  • Name: Maintenance Window - Updates
  • Description: Schedules Windows updates during off-hours to prevent business disruption

Click Next to proceed to the Configuration settings tab. In the Configuration settings section, use the search bar and type Maintenance Window. The search will return settings under the Windows Update category.

Select the following maintenance window settings to add them to your policy:

  • Maintenance Window Enabled
  • Maintenance Window Start Date Time
  • Maintenance Window Duration
  • Maintenance Window Recurrence Type
  • Maintenance Window Governed Actions
Warning: If you don't see maintenance window settings, ensure your target devices are running Windows 11 24H2 or later, as this feature requires the Feature_Containment_UUS_Feature_MaintenanceWindow_59270588 flag.

Verification: You should see all five maintenance window settings added to your configuration policy with their default values displayed.

03

Configure Maintenance Window Schedule and Duration

Configure the specific timing and duration for your maintenance window to align with your organization's non-business hours.

Set the following values for your maintenance window settings:

Maintenance Window Enabled: Set to Enabled

Maintenance Window Start Date Time: Configure the start time using ISO 8601 format. For example, to start at 10 PM on April 28, 2026, enter:

2026-04-28T22:00:00.000Z

Maintenance Window Duration: Set the duration in minutes. For a 5-hour window, enter 300 minutes.

Maintenance Window Recurrence Type: Choose from the following options:

  • 1 = No repeat (one-time)
  • 2 = Daily
  • 3 = Weekly
  • 4 = Monthly

For most organizations, weekly recurrence (3) works best for regular maintenance schedules.

Maintenance Window Governed Actions: This controls what actions are allowed during the window. Use bitmask values:

  • Install updates: 1
  • Restart device: 2
  • Both install and restart: 3
Pro tip: Schedule maintenance windows during your lowest usage periods. Most organizations find success with weekend nights or early morning hours (2 AM - 6 AM).

Verification: Review all configured values to ensure they match your intended maintenance schedule before proceeding.

04

Assign the Policy to Device Groups

Target your maintenance window policy to the appropriate device groups to ensure it applies to the correct machines in your organization.

Click Next to proceed to the Assignments tab. Here you'll specify which devices or users should receive this maintenance window configuration.

Under Included groups, click Add groups and select the appropriate device groups. Common targeting strategies include:

  • All Windows devices: For organization-wide maintenance windows
  • Department-specific groups: For different schedules per department
  • Device type groups: Separate schedules for laptops vs. desktops

If you need to exclude certain critical devices, use the Excluded groups section to add groups containing servers or always-on workstations.

Warning: Avoid assigning conflicting maintenance window policies to the same devices. The client will prioritize "Software updates" windows over "All deployments" windows, which can cause unexpected behavior.

Click Next to proceed to the review screen.

Verification: Confirm that your selected groups appear in the assignments section and that no conflicting exclusions are present.

05

Review and Deploy the Maintenance Window Policy

Complete the policy creation process by reviewing all settings and deploying the configuration to your selected devices.

On the Review + create tab, carefully review all your configuration settings:

  • Policy name and description
  • Maintenance window schedule and duration
  • Recurrence settings
  • Assigned device groups

If everything looks correct, click Create to deploy the policy. The policy will begin applying to targeted devices within the next sync cycle (typically 8 hours for device configuration policies, but can be faster).

After creation, you can monitor the policy deployment by navigating to Devices > Monitor > Device configuration and selecting your maintenance window policy.

Pro tip: Use the "Sync" option in the Intune portal to force immediate policy application on test devices rather than waiting for the natural sync cycle.

Verification: Check the policy status in the Device configuration monitoring section. You should see deployment progress and any errors for targeted devices.

06

Configure Advanced Settings Using Custom OMA-URI (Optional)

For organizations requiring more granular control over maintenance windows, create a custom OMA-URI policy to access advanced Update CSP settings not available in the Settings catalog UI.

Navigate to Devices > Configuration > Create > New policy. Select:

  • Platform: Windows 10 and later
  • Profile type: Custom

In the custom profile, click Add to create OMA-URI settings. Configure the following advanced settings:

OMA-URI PathData TypeValue ExampleDescription
./Vendor/MSFT/Policy/Config/Update/MaintenanceWindow/EnableBooleantrueEnable maintenance window
./Vendor/MSFT/Policy/Config/Update/MaintenanceWindow/StartDateTimeString2026-04-28T22:00:00.000ZWindow start time
./Vendor/MSFT/Policy/Config/Update/MaintenanceWindow/DurationInteger300Duration in minutes
./Vendor/MSFT/Policy/Config/Update/MaintenanceWindow/RecurrenceTypeInteger3Weekly recurrence

This approach provides more precise control over scheduling that may not be available through the standard UI.

Warning: Custom OMA-URI policies require exact syntax. Test thoroughly on a small group before broad deployment to avoid configuration errors.

Verification: Deploy the custom policy to a test group and check the Windows Update settings on target devices to confirm the maintenance window appears correctly.

07

Integrate with Existing Windows Update Rings

Ensure your maintenance windows work effectively with your existing Windows Update ring configurations for comprehensive update management.

Navigate to Devices > Windows updates > Update rings for Windows 10 and later. Select your existing update ring or create a new one if needed.

Configure the following settings to work optimally with maintenance windows:

Quality update deferral period: Set to 0-7 days to allow updates during maintenance windows

Feature update deferral period: Configure based on your testing requirements (typically 30-180 days)

Installation behavior: Set to "Auto install and restart at maintenance time"

Restart checks: Enable "Skip all restart checks"

{
  "qualityUpdatesDeferralPeriodInDays": 3,
  "featureUpdatesDeferralPeriodInDays": 60,
  "installationBehavior": "autoInstallAtMaintenanceTime",
  "restartChecks": "skip"
}

Assign the update ring to the same device groups as your maintenance window policy to ensure consistent behavior.

Pro tip: Combine short quality update deferrals (3-7 days) with maintenance windows to balance security and stability. This gives you time to test critical updates while ensuring they install during planned windows.

Verification: Check that devices receive both the maintenance window policy and update ring configuration by reviewing policy assignments in the Device configuration monitoring section.

08

Monitor and Troubleshoot Maintenance Window Implementation

Establish monitoring procedures to ensure maintenance windows are working correctly and troubleshoot common issues that may arise.

Monitor maintenance window effectiveness through multiple channels:

Intune Reporting: Navigate to Reports > Windows updates to view update installation patterns and compliance status.

Device-level verification: On target devices, check the following:

# Check maintenance window registry settings
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -Name "MaintenanceWindow*"

# View Windows Update log for maintenance window activity
Get-WinEvent -LogName "Microsoft-Windows-WindowsUpdateClient/Operational" | Where-Object {$_.Message -like "*maintenance*"}

Common troubleshooting scenarios:

  • Updates installing outside window: Check for conflicting active hours settings or multiple maintenance window policies
  • Devices not receiving policy: Verify device enrollment status and group membership
  • Maintenance window not enforced: Confirm Windows 11 24H2+ and feature flag availability

For devices powered off during maintenance windows, configure deadline enforcement in your update rings to ensure updates eventually install.

Warning: Maintenance windows have a maximum duration of 24 hours. Longer windows will be automatically truncated by the Windows Update client.

Verification: Run the PowerShell commands above on a test device to confirm maintenance window settings are applied correctly and check update installation logs for compliance.

Frequently Asked Questions

What Windows versions support Intune maintenance windows?+
Maintenance windows in Microsoft Intune require Windows 11 24H2 or later versions. The feature depends on the Feature_Containment_UUS_Feature_MaintenanceWindow_59270588 flag being enabled in the Windows build. Earlier Windows versions, including Windows 10, do not support this Intune-managed maintenance window functionality, though they can still use traditional active hours settings.
Can maintenance windows prevent updates if the device is powered off?+
No, maintenance windows cannot enforce update installation if the device is powered off during the scheduled window. Windows Update will skip the maintenance window if the device is not available. To address this limitation, configure deadline enforcement in your Windows Update rings to ensure updates eventually install even if devices miss their maintenance windows.
How do maintenance windows interact with existing active hours settings?+
Maintenance windows override and replace active hours settings when configured through Intune. While active hours provide soft guidance about when not to restart, maintenance windows enforce hard scheduling for when updates must install and restart. If both are configured, the maintenance window takes priority and active hours are effectively ignored for update-related restarts.
What happens if multiple maintenance window policies target the same device?+
When multiple maintenance window policies target the same device, Windows prioritizes "Software updates" maintenance windows over "All deployments" windows. This can cause conflicts and unexpected behavior. To avoid issues, ensure only one maintenance window policy applies to each device group, or use the "Enable installation of updates in All deployments maintenance window" client setting to allow broader maintenance window usage.
Can I schedule different maintenance windows for different types of updates?+
Currently, Intune maintenance windows apply to all Windows updates (quality, feature, and driver updates) uniformly. You cannot create separate maintenance windows for different update types within the same policy. However, you can create multiple policies targeting different device groups if you need varying schedules for different departments or device types, and combine this with update ring deferrals to control update timing more granularly.
Tags
#intune#windows-updates#maintenance-windows

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Deploy Phishing-Resistant Passwordless Auth in Microsoft Entra ID
tutorial
Cybersecurity

How to Deploy Phishing-Resistant Passwordless Auth in Microsoft Entra ID

Deep Dive
How to Configure Maintenance Windows in Microsoft Intune for Update Control
tutorial
Cloud Computing

How to Configure Maintenance Windows in Microsoft Intune for Update Control

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account