Windows Update for Business

Windows Update for Business

Windows Update for Business

Windows Update for Business allows you to perform maintenance on Windows devices. The post has the latest security features. Updates are retrieved directly from Windows Update Service. The different Windows 10 and Windows 11 workstations can be configured using a group policy or via Microsoft Endpoint Manager (MEM)

With Windows Update for Business, the IT department no longer needs to manage the approval of updates. The workstations automatically retrieve the patches from the Microsoft servers. However, it is possible via GPO settings or via the MDM to manage the behavior of the equipment when the update is received.

Updates managed by WuFB

Windows Update for Business has the ability to manage several types of patches.

  • Feature updates : Feature updates contain security updates, quality updates and important feature changes. They were also called upgrades
  • Quality updates : This type of update concerns the traditional patches of the operating system. They are usually released on the second Tuesday of each month. Security updates, critical updates and driver updates are included in this type of update. It is possible with Windows Update for Business to manage non-Windows updates (Office, Visual Studio, etc.), which are included in Microsoft Updates.
  • Driver updates: This category of update is for non-Microsoft drivers. Activated by default, it is possible to deactivate them through Windows Update for Business.
  • Microsoft product updates: This category includes updates for other Microsoft products (Office for example). Only the versions installed with Windows Installer (MSI) are concerned. Click-to-run versions cannot be updated using Windows Update for Business. Disabled by default, Microsoft product updates can be activated using Windows Update for Business.

Defer an update

If you need more time for validate an update or if the installation of the update causes problems, you can defer the installation of update. You can define the number of daythat you want defer the update. The list below references the maximum number of days per update category.

  • Feature updates : 365 days
  • Quality updates : 30 days

If a problem is discover during deployment of update, you can pause the deployment for 35 days.

Configure Windows Update for Business

Windows Update for Business can be configured by

  • Group Policy Object
  • MDM – Microsoft Intune

Configure WUfB by Group Policy

We will see in this part how I can configure WUfB by group policy. In domain controller, open Group Policy Management console and right click on Group Policy Object. Enter the name of the GPO and click on OK.

Windows Update for Business - Create GPO

Right click on the GPO previously created and select Edit. The Group Policy

Windows Update for Business - Create GPO

Expand Computer configuration / Administrative Templates / Windows Components / Windows Update / Windows Update for Business. Few parameters are available, configure the desired parameters. Depending on the ADMX version, additional parameters may be present.

Windows Update for Business - Configure GPO parameters

Select when preview builds and feature updates are received. This parameter permit to configure when the feature builds and the preview builds are receving by the computer. The registry key Software \ Policies \ Microsoft \ Windows \ WindowsUpdate \ BranchReadinessLevel is configured.

Windows Update for Business - Configure GPO parameters
Windows Update for Business - The parameter is been configured

Select when Quality updates are received. This parameter permit to configure when the Quality updates are receving by the computer. The registry key Software \ Policies \ Microsoft \ Windows \ WindowsUpdate \ DeferQualityUpdates is configured.

Windows Update for Business - Configure GPO parameters
Windows Update for Business - Registry key is been configured

Disable Safeguards for feature update. This parameter must be enabled if there are known compatibility issues that block the upgrade from being deployed. When you enable this policy you can allow to deploy the Feature Update to devices without blocking on safeguard holds.The registry key Software \ Policies \ Microsoft \ Windows \ WindowsUpdate \ DisableWUfBSafeguards is configured.

Windows Update for Business - Configure GPO parameters
Registry key is been configured

Disable Safeguards for feature update. This parameter permit to configure how and when Windows 10 Insider Preview Builds are installed on devices.The registry key Software\Policies\Microsoft\Windows\WindowsUpdate is configured.

Windows Update for Business - Configure GPO parameters

Select the target feature Update version. This parameter permit to configure the desired version of Windows for the devies. The following URL can be used to get the version number here.The registry key Software \ Policies \ Microsoft \Windows \ WindowsUpdate \ TargetReleaseVersion is configured.

Windows Update for Business - Create GPO

Apply the polivy to the desired device. I use an AD Security group to apply the strategy only to the desired computer

Apply group policy to the device

Configure WUfB avec Intune

Windows Update For Business can be configured by MEM ( Microsoft Endpoint Manager – Microsoft Intune). The policy is applied on Windows 10 devices enrolled. it’s possible to limit the deployment of the policy by

  • Azure AD Groups for devices enrolled with Azure AD Join.
  • Azure AD Groups or Active Directory computer groups for devices enrolled with Hybrid AD Join.

From the Microsoft Endpont Manager portal, click on Devices then on Update rings for Windows 10 and later.

Select update rings for windows 10 and later

Click on Create Profile for configure new profile.

Configure new profile

Enter the name of the ring and click on Next.

Enter the name of the profile

Configure the parameters as you want and click on Next.

Microsoft product updates : This parameter permit to scan for application updates from Microsoft WIndows Update.

Windows drivers : Permit to download non microsoft drivers from Windows Update.

Configure if Microsoft product and drivers has been downloaded from windows update

Configure the desired period for the Quality update and the Feature update. It’s possible to upgrade the device with the last release of Windows 11. This option is disabled by default.

Configure Quality update and feature update

Set feature update uninstall period : This option permit to determine the desired period for uninstall feature update. After this pediod expired, the previous update is removed to the computer and the rollback is impossible.

Configure the period for feature update uninstall

Enable pre-release builds : When this parameter is enabled, the device receive pre-release build selected. Three choice is available (Windows Insider, Beta Channel, Dev Channel).

Select the desired pre-release channel

User experience settings : With this few parameters, the user experience can be configured.

  • Automatic update behavior : Configure behavior for automatic installation of updates (install update and reboot computer).
  • Active hours start : Configure hour where the reboot is suppress.
  • Active hours end: indicates hour from which the devices is allowed to restart.
  • Restart checks : Different checks are performed before restart the device (Battery level is equal to at least 40%, user present, presentation mode.
  • Option to pause Windows updates : If this option is enabled, users can pause the installation of updates on his workstation.
  • Option to check for Windows updates : If this option is enabled, users can check updates on his workstation.
  • Change notification update level : Permit to configure the desired level for the notification.
  • Use deadline settings : This settings permit to allow user to use deadline for install updates.
Configure User Experience

Click on Next after configuring the parameters and select the desired groups. I have created an Azure AD Groups with my Windows 10 devices.

Assign policy to the group

Profile is now been created.

Profile is now been created

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.