How to optimize Windows Update for Business policies

The transition to cloud-native endpoint management is reshaping the landscape of Windows device management, particularly in the realm of Windows Update. IT administrators find themselves increasingly reliant on Windows Update services to ensure that their organization’s devices are consistently updated with the latest security patches and features. In response to this need, Microsoft has rolled out the complimentary Windows Update for Business, designed to empower IT administrators with enhanced control over update policies. Through the use of Group Policy or Mobile Device Management (MDM) policies, administrators can tailor various settings to regulate the update processes for Windows devices, thereby granting organizations greater oversight of available security updates and features. However, a clear understanding of which policies to implement for specific desktops is crucial for effective management.

What is the best approach for managing monthly updates?

For IT administrators tasked with servicing Windows devices, the most effective strategy involves the utilization of servicing rings, also known as update rings. This method allows for the controlled rollout of the latest security updates and Windows features, providing organizations with significant control over multiple facets of the update process.

Servicing rings function by grouping Windows devices, and each servicing ring contains its own update cadence and policy targeted at a specific group of Windows devices.

Servicing rings operate by categorizing Windows devices into distinct groups, with each ring possessing its own update schedule and policy tailored to a specific set of devices. A pivotal aspect of this approach is the configuration of update deferral and installation deadlines. Administrators can leverage these configurations to dictate when devices will receive and install the latest updates, thus enabling a gradual introduction of updates within the organization while prioritizing stability where it is most critical.

By implementing multiple servicing rings, IT administrators can segment devices into various update waves. This strategy allows organizations to first deploy updates to pilot and test groups of Windows devices. Should any issues arise, the IT administrator can swiftly pause the rollout, preventing disruption across the entire organization. This method equips IT with the necessary tools to introduce updates incrementally, minimizing potential downtime.

In essence, servicing rings represent the foundational requirement for IT administrators aiming to ensure that Windows devices within their organization remain current with the latest security and feature updates.

What are the most important settings for Windows Update for Business?

Utilizing servicing rings within Windows Update for Business can mitigate the adverse effects of new updates while still facilitating a timely update process for Windows systems. While this is a widely recognized benefit, there are numerous other critical settings that IT can harness to refine both their update strategy and the overall user experience.

Update channels Windows Update for Business can manage

The initial step in any configuration should involve selecting the desired update channel. Currently, there are three available channels, one of which is designated for a separate installation of Windows.

• General Availability Channel: This channel receives feature updates immediately upon availability and is intended for the average user and Windows device.

• Long-Term Servicing Channel (LTSC): This channel is more static, receiving feature updates only once every two to three years, and is aimed at specialized devices that prioritize stability above all else.

• Windows Insider Program: This program allows organizations to test feature updates prior to their general availability. Participants can choose from the Canary Channel, Dev Channel, Beta Channel, and Release Preview Channel, using dedicated testing operating systems for this purpose.

The setting for managing the update channel is governed by the Select when Preview Builds and Feature Updates are received Group Policy Object (GPO) setting and the BranchReadinessLevel setting in MDM, each with distinct values for every channel. The LTSC channel, however, is meant exclusively for specialized devices such as ATMs and necessitates a separate Windows installation.

Furthermore, IT administrators may wish to restrict users from enabling or disabling the installation of preview builds on their devices. This control can enhance the user experience and ensure optimal performance. This can be achieved through the Manage preview builds GPO setting and the ManagePreviewBuilds setting in MDM.

Update release types that Windows Update for Business can manage

Once the update channel has been established for various Windows devices, another vital configuration involves the deployment of different update release types. There are two primary release types available:

• Quality updates: These monthly updates are released every second Tuesday of the month, known as Patch Tuesday. They provide essential security and reliability fixes, often introducing new functionalities. The key setting for managing quality updates is to configure when devices should receive them, controlled via the Select when Quality Updates are received GPO setting and the DeferQualityUpdatesPeriodInDays setting in MDM, allowing for a deferral period of up to 30 days.

• Feature updates: These annual updates introduce new Windows versions, such as Windows 11 version 24, and aggregate previous quality updates. The primary setting for managing feature updates is to determine when devices should receive them, controlled by the Select when feature updates are received GPO setting and the DeferFeatureUpdatesPeriodinDays setting in MDM, which permits a deferral of up to 365 days.

If necessary, IT can temporarily pause the deployment of different update release types for up to 35 days. Administrators using Group Policy can apply the same setting to pause updates, while those utilizing MDM can adjust the PauseFeatureUpdatesStartTime setting for feature updates and the PauseQualityUpdatesStartTime setting for quality updates.

How Windows Update for Business can manage driver updates

Device driver updates are a crucial component of modern Windows Update, as hardware vendors increasingly adopt this distribution model. This shift simplifies the process of keeping hardware drivers up to date. However, administrators may occasionally require additional control.

Admins can enable or disable driver updates included in the monthly quality updates through the Do not include drivers with Windows Updates GPO setting and the ExcludeWUDriversInQualityUpdate MDM setting. It is important to note that this behavior does not extend to drivers provided with the operating system.

Manage optional updates via Windows Update for Business

Another noteworthy configuration for IT to consider involves managing optional updates released via Windows Update. These updates are typically available every fourth Tuesday of the month and provide new features and non-security updates, often referred to as optional non-security preview releases. IT can control these updates using the Enable optional updates GPO setting and the AllowOptionalContent MDM setting.

Peter van der Woude works as a mobility consultant and possesses extensive knowledge of ConfigMgr and Microsoft Intune tools. He is recognized as a Microsoft MVP and is regarded as a Windows expert.