Windows Update for Business Updated
When talking about Windows Update it’s often a pain point, for administrator to configure and for users to experience.
Over the years multiples OSes came out and a layer of settings has been added, replaced and even interacted with each other.
Adding to that, Windows changed from Group Policy management to Configuration Service Provider (API) management which is the backend of the MDM layer in Windows.
To finish on the fact that the MDM layer comes, originally, from the Windows Mobile side.
We can understand, or not, why it is a bit of a mess.
Fortunately, Aria Carley Senior Program Manager for Windows Update at Microsoft, have updated the policies to use and not to use. One highlight on the article is that RequireUpdateApproval is not supported by Microsoft, so you’ve been warned.
There are five main areas that the settings covered in this article: Active Hours, Defer, Deadlines, Notifications and Extra.
Detection Frequency
Before looking at each configuration area, the first thing to know about Windows Update for Business is the detection frequency or scanning for update.
The detection for new update is done every 22 hours +- 4 hours random.
Meaning the detection can occur as early as 18 Hours and as late as 26 hours since last detection.
There is a CSP (Update/DetectionFrequency) to configure that frequency however this is not supported for Windows Update for Business.
Active Hours
Active Hours are understood to be the hours where the user is working and not to be disturbed. Restart cannot happen during that period.
When compliance deadline is overdue, if configured, Active Hours are, however, ignored.
Configuration
- 24 Hour format (0-23)
- Delta 18 hours maximum – can be configured
CSPs
Defer
Allow to delay the installation of the update and configure the amount of time from release date, from Microsoft, that the update will be made available for installation.
This is the setting used to create the infamous rings to deploy across the organization in waves. Quality updates and Feature have their own setting and timeframe allowing flexibility.
Configuration
- Quality Update: Specify the number of days between 0 days and 30 days
- Feature Update: Specify the number of days between 0 days and 365 days
Note: For quality update, a defer over 27 days may cause issue.
For example, February has less than 30 days, the February Cumulative Update will not get installed but the March Update might get installed after 30 days – in case if the April CU was not released before that.
This is due to the new cumulative update being superseding the previous cumulative update.
CSPs
Deadlines
Deadlines are used to establish a compliance on update installation and restart according to security expectations.
The different deadlines are cumulative as well with the defer therefore to comply with the security policy you need to adjust each setting to the level required.
Update Installation
When this deadline is reached the installation is done automatically, if the setting is not low, then you could have machines updating up to 30 days after release of the update. So, you might want to lower that setting for quality updates while for feature update this allow more flexibility.
Default (quality and feature): 7 days
Configuration
- Quality Update: Specify the number of days between 0 (as soon as available) and 30 days
- Feature Update: Specify the number of days between 0 (as soon as available) and 30 days
CSPs
Restart Grace Period
Once the update is installed, the grace period start, during this period no auto-restart will be enforced and give the opportunity for the user to restart on its own term. Windows Update will still try to reboot outside of the Active Hours if “No Auto Reboot” is not configured see below.
Default/Not configured: No automatic restart over the next 2 days after installation.
Configuration
- Specify the number of days between 0 and 7 days
- Different settings for quality and feature update
CSPs
No Auto Reboot
Allow to wait until expiration of deadlines and grace period configured before attempting any automatic restart, this will avoid automatic restart outside of the Active Hours.
Default: Disabled
Configuration
- Enabled: Will wait for deadline and grace expiration for automatic restart.
- Disabled: Will attempt to reboot once installation is finished and outside of Active Hours
CSPs
Notifications
Configure the display level of the notification for Windows Update.
Default: Display all Windows Update notifications
Configuration
- Display all Windows Update notifications
- Turn off all notifications, excluding restart warnings
- Turn off all notifications, including restart warnings
CSPs
Extra
Pause Updates
While deploying update automatically and making sure the deadlines are respected. We sometimes need to pause the deployment of the update process, due to a bad update or an interaction with a software that need to be updated before releasing the update to a wider audience.
This can be achieved with the Pause mechanism which will old any new deployment until removed for up to 35 days.
CSPs
- Update/PauseFeatureUpdates
- Update/PauseFeatureUpdatesStartTime
- Update/PauseQualityUpdates
- Update/PauseQualityUpdatesStartTime
Feature Update specifics
Feature updates are an upgrade to either a new OS Windows 10 to Windows 11 or upgrade to a new level of build like 20H2 to 21H1.
While defer allow a control on the availability of the update, an organization might to control the version as it might impact business software which then might require an update from the vendor.
For that purpose, there is 2 settings:
- Product Version: dictate the OS target: Windows 10 or Windows 11
- Target Release Version: dictate the OS build level: 2004, 20H2(2009), 21H1, 21H2, …
When configured, the settings restrict the availability of the feature update to the designated one. An organization can decide to allow Feature 21H1 while 21H2 is already available and the estate is currently on 2004. The machines will upgrade to 21H1 skipping 20H2.
CSPs
UX Specifics
To conform to the security is it sometimes necessary to block some access to the UI.
Disable Pause deactivate the ability to pause the update for 7 days by the user.
Disable WU Access deactivate the access to the scan, download, install button as well as the pause update button.
CSPs
Scheduled Maintenance
Some use cases require to have more control and to be precise on when the installation will need to happen. This is particularly true for special devices like kiosk, ATMs, POS, medical, etc.
The different settings allow a fine granularity by specifying what time, which day, week, and the frequency of the updating process.
CSPs
- Update/ScheduledInstallDay
- Update/ScheduledInstallTime
- Update/ScheduledInstallEveryWeek
- Update/ScheduledInstallFirstWeek
- Update/ScheduledInstallSecondWeek
- Update/ScheduledInstallThirdWeek
- Update/ScheduledInstallFourthWeek
vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.