servicing rings Archives

Winsage

July 21, 2025

How to use Windows Update for Business with Group Policy

Windows administrators need to keep their systems updated for security and performance, with control over the timing and type of updates being crucial. There are three primary methods for managing Windows updates: 1. Per-client updates: Default for standalone clients, offering minimal control. 2. Windows Server Update Services (WSUS): Centralized management since 2005, allowing extensive control but requiring more administrative effort. 3. Windows Update for Business (WUfB): A cloud-based model providing greater control through tools like Group Policy and Mobile Device Management (MDM). WUfB offers several advantages, including policy-based management, granular control over deployments, and the elimination of on-premises WSUS servers. To implement WUfB, organizations must meet specific requirements, including using Windows 10/11 Pro, Enterprise, or Team editions, Azure AD joining, and having the necessary licenses such as Microsoft 365 Business Premium. Administrators can defer feature updates for up to 365 days and quality updates for up to 30 days using Group Policy. They can create servicing rings for managing update deployments, such as testing, pilot, and rollout rings. Configuration involves creating Group Policy Objects (GPOs) linked to the appropriate Organizational Units (OUs) and setting relevant policies. WUfB reporting is available through the Azure Portal, allowing administrators to monitor update statuses and troubleshoot devices.

Winsage

March 27, 2025

How to optimize Windows Update for Business policies

The transition to cloud-native endpoint management is changing Windows device management, particularly regarding Windows Update. IT administrators are increasingly relying on Windows Update services for security patches and features. Microsoft has introduced Windows Update for Business to give IT administrators better control over update policies through Group Policy or Mobile Device Management (MDM). Effective management requires understanding which policies to implement for specific desktops. The best approach for managing monthly updates is through servicing rings, which group Windows devices and assign specific update cadences and policies. This method allows controlled rollouts of updates, enabling administrators to prioritize stability and minimize disruption by testing updates on pilot groups before wider deployment. Windows Update for Business manages three update channels: the General Availability Channel for immediate feature updates, the Long-Term Servicing Channel (LTSC) for stability-focused devices, and the Windows Insider Program for testing updates. Administrators can control these channels using specific Group Policy Object (GPO) settings. Two primary update release types are managed: quality updates, which are released monthly and can be deferred for up to 30 days, and feature updates, which are annual and can be deferred for up to 365 days. Administrators can pause the deployment of updates temporarily for up to 35 days. Driver updates are also managed through Windows Update, with options to include or exclude them in monthly quality updates. Optional updates, available monthly, can be controlled using specific GPO and MDM settings.