How to optimize Windows Update for Business policies
Not all Windows updates are the same, so IT needs to make the most of Windows Update for Business to deliver the ideal updates to the desired endpoints on time.
The move to cloud-native endpoint management has a significant effect on numerous management aspects of Windows devices, including managing Windows Update.
IT administrators have to rely on the Windows Update services to keep their organization's devices up to date with the latest security updates and Windows features. To assist IT administrators with controls, Microsoft introduced the free Windows Update for Business.
IT administrators can use Group Policy or MDM policies to configure the different Windows Update for Business settings that can be used to control the update policies of Windows devices. That provides organizations with more control over the security updates and Windows features that are available for their devices. But IT needs to know which policies to apply to which desktops.
What is the best approach for managing monthly updates?
When admins service Windows devices, the best approach is to use servicing rings -- also known as update rings. IT can use servicing rings to provide access to the latest security updates and Windows features in a controlled manner. It provides organizations with control over many aspects of the update process.
Servicing rings function by grouping Windows devices, and each servicing ring contains its own update cadence and policy targeted at a specific group of Windows devices.
Servicing rings function by grouping Windows devices, and each servicing ring contains its own update cadence and policy targeted at a specific group of Windows devices. The key part of that is the update deferral and installation deadline configuration. Admins can use those configurations to determine when Windows devices will receive the latest updates and when those devices will install the updates. That provides IT administrators with the tools to gradually introduce the latest updates within the organization and prioritize stability where it is needed most.
By using multiple servicing rings, IT administrators can group the devices within the organization into different update waves. That allows the organization to first run pilot and test groups of Windows devices with the latest updates. If something breaks, the IT administrator can still hit the figurative pause button to prevent the whole organization from receiving the breaking updates. That provides the IT administrator with the required tool set to gradually introduce the latest updates within the organization without causing too much downtime.
Servicing rings are the minimal requirement for every IT administrator to introduce the latest security and feature updates and make sure that the Windows devices within the organization are up to date.
What are the most important settings for Windows Update for Business?
Servicing rings in Windows Update for Business can soften the negative effects of the latest updates while still providing a framework to update Windows systems in a relatively quick time frame. While this is the most commonly cited, there are many other important settings that IT can use to optimize both the update strategy and the end-user experience.
Update channels Windows Update for Business can manage
The first thing that any configuration should start with is the desired update channel. There are currently only three update channels available, and one of them is even part of a separate installation of Windows.
General Availability Channel. This channel receives feature updates as soon as those updates are available and is aimed at the average user and Windows device.
Long-Term Servicing Channel (LTSC). This channel is more static and only receives a feature update release once every two or three years and is aimed at specialized devices that prioritize stability over everything else.
Windows Insider Program. This program provides the opportunity to test feature updates early before their general availability date. Organizations can choose between Canary Channel, Dev Channel, Beta Channel and Release Preview Channel, and use this access to test the update with dedicated testing OSes.
The setting for controlling the update channel is the Select when Preview Builds and Feature Updates are received Group Policy Object (GPO) setting and the BranchReadinessLevel setting in MDM, which has a different value for every channel. The only exception is LTSC, as that channel should only be used for specialized devices such as ATMs, and it requires separate Windows installation.
Besides that, the IT administrator might also want to prevent users from enabling or disabling the installation of preview builds on their Windows devices themselves. That can help with controlling the user experience and ensuring that users' devices perform as expected. IT can achieve this by using the Manage preview builds GPO setting and the ManagePreviewBuilds setting in MDM.
Update release types that Windows Update for Business can manage
After determining the update channel that's being used for the different Windows devices, another important configuration is how to deploy the different update release types. There are only two release types available for Windows devices:
Quality updates. These are monthly updates that become available every second Tuesday of the month -- known as Patch Tuesday. Those updates provide security and reliability fixes and often add new functionalities to Windows systems. The most important setting for managing quality updates is to configure when devices should receive those updates. IT can control these by using the Select when Quality Updates are received GPO setting and the DeferQualityUpdatesPeriodInDays setting in MDM, with a value of up to 30 days.
Feature updates. These updates are the yearly updates that introduce a new Windows version, such as Windows 11 version 24. Those updates provide new features, functionalities and aggregations of the previous quality updates. The most important setting for managing feature updates is to configure when devices should receive those updates. That can be controlled by using the Select when feature updates are received GPO setting and the DeferFeatureUpdatesPeriodinDays setting in MDM, with a value of up to 365 days.
If needed, IT can temporarily pause the different update release types for periods of up to 35 days. Within Group Policy, IT can also use the same setting to pause the update. Admins that use MDM can toggle the PauseFeatureUpdatesStartTime setting for feature updates and the PauseQualityUpdatesStartTime setting for quality updates.
How Windows Update for Business can manage driver updates
Device driver updates are also an important part of modern Windows Update as hardware vendors have largely shifted to this distribution model. That's, of course, a good thing as it makes it easier to keep hardware drivers up to date. However, sometimes admins need a bit more control.
Admins can enable or disable the driver updates that are part of the monthly quality updates via the Do not include drivers with Windows Updates GPO setting and the ExcludeWUDriversInQualityUpdate MDM setting. This behavior does not apply to drivers provided with the OS.
Manage optional updates via Windows Update for Business
Another interesting configuration for IT to consider is managing optional updates that become available via Windows Update. Those updates are released every fourth Tuesday of the month and provide new feature and nonsecurity updates. These updates are often referred to as optional nonsecurity preview releases and IT can control them by using the Enable optional updates GPO setting and the AllowOptionalContent MDM setting.
Peter van der Woude works as a mobility consultant and knows the ins and outs of the ConfigMgr and Microsoft Intune tools. He is a Microsoft MVP and a Windows expert.
