How to use Windows Update for Business with Group Policy

Windows administrators are acutely aware of the necessity to keep their Windows clients and services up-to-date with the latest security, performance, and feature enhancements. However, the ability to manage the timing and type of these updates is equally essential.

Standalone clients, designed for user convenience, offer limited control over updates. Even Windows Server Update Services (WSUS), while a staple for many IT teams, often falls short in providing the administrative efficiency that is increasingly required. This is where Windows Updates for Business (WUfB) and Group Policy come into play, representing a modernized approach to update management from Microsoft.

3 approaches to manage Windows updates

Microsoft’s framework for delivering updates is robust, yet control on the client side can be somewhat lacking. Administrators typically have three primary methods to manage Windows updates:

• Per-client updates: This is the default configuration for standalone or unmanaged enterprise clients. While it requires minimal administrative effort, it offers little in the way of control or customization.
• Windows Server Update Services: Since its introduction in 2005, WSUS has been the go-to solution for centralized update management in enterprise settings. It allows for extensive control, including the ability to approve, block, and stage updates. However, it demands a greater administrative effort and is best suited for environments where bandwidth savings are a priority.
• Windows Update for Business: WUfB merges the benefits of the first two approaches into a cloud-based model. Each client device connects directly to Microsoft for updates, while administrators can exercise greater control through standard configuration management tools like Group Policy and Mobile Device Management (MDM).

While third-party tools exist for managing Windows updates, staying within the Microsoft ecosystem often simplifies compatibility and licensing issues.

Windows Updates for Business features and benefits

Windows Update for Business streamlines update management by leveraging familiar configuration service providers, offering a cloud-integrated approach that surpasses the older WSUS model. Key advantages include:

• Policy-based management for Windows and Microsoft applications.
• Granular control over update deployments.
• Elimination of the need for an on-premises WSUS server.
• Assurance that devices remain current with updates.

This new approach effectively reverses the initial benefits touted by WSUS, which aimed to minimize bandwidth usage through a single download process. Microsoft now focuses on reducing administrative burdens by allowing clients to download updates directly from the cloud, bypassing the need for dedicated WSUS servers.

Windows Updates for Business prerequisites

To implement WUfB, organizations must ensure their environment meets specific requirements:

Operating system requirements:

• Windows 10/11 Pro, Enterprise, or Team editions.

Device enrollment requirements:

• Devices must be Azure AD-joined or Hybrid Azure AD-joined.
• Enrolled in Intune MDM, if applicable.

Licensing requirements:

• Microsoft 365 Business Premium.
• Microsoft Enterprise Mobility + Security (EMS).
• Intune.

Additionally, client devices must have network and internet access to receive policies and download updates. Administrators should possess the necessary privileges to configure Group Policy or manage Intune. It is also advisable to integrate clients with Log Analytics and connect them to Azure Monitor for comprehensive reporting on both Azure and on-premises systems. Notably, WUfB is intended for client management only; Windows Server editions require alternative update management solutions such as WSUS, Azure Automation Update Management, or Group Policy settings.

Group Policy templates for Windows Updates for Business

Administrators can defer feature updates for the OS for up to 365 days. Quality updates — focusing on security patches — might be deferred up to 30 days.

Most administrators will likely manage Windows updates through Group Policy, a straightforward method for controlling Windows configurations. It is essential to download and install the latest Group Policy Administrative Templates for Windows 10 and 11, typically stored in a shared Central Store within Active Directory environments.

Organizing systems into servicing rings allows IT to effectively manage update deployments. Common choices for servicing rings include:

• Testing ring: Immediate deployment for testing purposes.
• Pilot ring: Delayed deployment for real-world testing.
• Rollout ring: Approved updates for all devices.

Each ring can have distinct policies and schedules for phased rollouts, which can be created using the Intune administrative center.

Configure Windows Updates for Business settings

With the latest Group Policy settings established, the next step is to configure client devices. Administrators must decide whether to utilize a single Group Policy Object (GPO) for all clients or create department-specific GPOs tailored to various Organizational Units (OUs). It is advisable to create GPOs that reflect the necessary deployment or servicing rings, such as Test, Pilot, and Rollout, and link these GPOs to the appropriate OUs.

1. Open the Group Policy Management Console.
2. Right-click the Group Policies node and create a new Group Policy Object for managing updates.

3. Navigate to the Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business node.

4. Configure all relevant policies, such as “Select when Preview Builds and Feature Updates are received,” and “Select when Quality Updates are received.”

Administrators can defer feature updates for up to 365 days and quality updates for up to 30 days, with the flexibility to pause updates or adjust deferment options at any time. Additionally, IT can manage restart policies and define active hours for updates.

Ensure that the GPO is linked to the appropriate domain or OU, and allow time for client devices to apply the policies. The gpresult command can be used to verify settings, while gpupdate /force can manually apply policy updates. Microsoft Intune MDM can also be utilized for more effective management of Windows-based mobile devices.

It is important to note that Active Directory Group Policy cannot manage updates for non-domain-joined devices or effectively handle non-Windows systems running Microsoft applications, necessitating alternative management strategies for those environments.

Manage Windows Updates for Business reporting

Administrators have access to WUfB reports to monitor update statuses, which can be invaluable for troubleshooting devices that fail to receive expected updates. These reports are crucial for security audits and incident response, so it is advisable to configure them in advance through the Azure Portal, where initial reports may take up to 24 hours to generate.

To access the reports, navigate to the Azure Portal and browse to the Windows Update for Business Log Analytics workspace for compliance and update details.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has authored multiple CompTIA study guides and contributes extensively to Informa TechTarget, The New Stack, and CompTIA Blogs.