Windows Update for Business
Windows Update for Business allows you to perform maintenance on Windows devices. The post has the latest security features. Updates are retrieved directly from Windows Update Service. The different Windows 10 and Windows 11 workstations can be configured using a group policy or via Microsoft Endpoint Manager (MEM)
With Windows Update for Business, the IT department no longer needs to manage the approval of updates. The workstations automatically retrieve the patches from the Microsoft servers. However, it is possible via GPO settings or via the MDM to manage the behavior of the equipment when the update is received.
Updates managed by WuFB
Windows Update for Business has the ability to manage several types of patches.
- Feature updates : Feature updates contain security updates, quality updates and important feature changes. They were also called upgrades
- Quality updates : This type of update concerns the traditional patches of the operating system. They are usually released on the second Tuesday of each month. Security updates, critical updates and driver updates are included in this type of update. It is possible with Windows Update for Business to manage non-Windows updates (Office, Visual Studio, etc.), which are included in Microsoft Updates.
- Driver updates: This category of update is for non-Microsoft drivers. Activated by default, it is possible to deactivate them through Windows Update for Business.
- Microsoft product updates: This category includes updates for other Microsoft products (Office for example). Only the versions installed with Windows Installer (MSI) are concerned. Click-to-run versions cannot be updated using Windows Update for Business. Disabled by default, Microsoft product updates can be activated using Windows Update for Business.
Defer an update
If you need more time for validate an update or if the installation of the update causes problems, you can defer the installation of update. You can define the number of daythat you want defer the update. The list below references the maximum number of days per update category.
- Feature updates : 365 days
- Quality updates : 30 days
If a problem is discover during deployment of update, you can pause the deployment for 35 days.
Configure Windows Update for Business
Windows Update for Business can be configured by
- Group Policy Object
- MDM – Microsoft Intune
Configure WUfB by Group Policy
We will see in this part how I can configure WUfB by group policy. In domain controller, open Group Policy Management console and right click on Group Policy Object. Enter the name of the GPO and click on OK.
Right click on the GPO previously created and select Edit. The Group Policy
Expand Computer configuration / Administrative Templates / Windows Components / Windows Update / Windows Update for Business. Few parameters are available, configure the desired parameters. Depending on the ADMX version, additional parameters may be present.
Select when preview builds and feature updates are received. This parameter permit to configure when the feature builds and the preview builds are receving by the computer. The registry key Software \ Policies \ Microsoft \ Windows \ WindowsUpdate \ BranchReadinessLevel is configured.
Select when Quality updates are received. This parameter permit to configure when the Quality updates are receving by the computer. The registry key Software \ Policies \ Microsoft \ Windows \ WindowsUpdate \ DeferQualityUpdates is configured.
Disable Safeguards for feature update. This parameter must be enabled if there are known compatibility issues that block the upgrade from being deployed. When you enable this policy you can allow to deploy the Feature Update to devices without blocking on safeguard holds.The registry key Software \ Policies \ Microsoft \ Windows \ WindowsUpdate \ DisableWUfBSafeguards is configured.
Disable Safeguards for feature update. This parameter permit to configure how and when Windows 10 Insider Preview Builds are installed on devices.The registry key Software\Policies\Microsoft\Windows\WindowsUpdate is configured.
Select the target feature Update version. This parameter permit to configure the desired version of Windows for the devies. The following URL can be used to get the version number here.The registry key Software \ Policies \ Microsoft \Windows \ WindowsUpdate \ TargetReleaseVersion is configured.
Apply the polivy to the desired device. I use an AD Security group to apply the strategy only to the desired computer
Configure WUfB avec Intune
Windows Update For Business can be configured by MEM ( Microsoft Endpoint Manager – Microsoft Intune). The policy is applied on Windows 10 devices enrolled. it’s possible to limit the deployment of the policy by
- Azure AD Groups for devices enrolled with Azure AD Join.
- Azure AD Groups or Active Directory computer groups for devices enrolled with Hybrid AD Join.
From the Microsoft Endpont Manager portal, click on Devices then on Update rings for Windows 10 and later.
Click on Create Profile for configure new profile.
Enter the name of the ring and click on Next.
Configure the parameters as you want and click on Next.
Microsoft product updates : This parameter permit to scan for application updates from Microsoft WIndows Update.
Windows drivers : Permit to download non microsoft drivers from Windows Update.
Configure the desired period for the Quality update and the Feature update. It’s possible to upgrade the device with the last release of Windows 11. This option is disabled by default.
Set feature update uninstall period : This option permit to determine the desired period for uninstall feature update. After this pediod expired, the previous update is removed to the computer and the rollback is impossible.
Enable pre-release builds : When this parameter is enabled, the device receive pre-release build selected. Three choice is available (Windows Insider, Beta Channel, Dev Channel).
User experience settings : With this few parameters, the user experience can be configured.
- Automatic update behavior : Configure behavior for automatic installation of updates (install update and reboot computer).
- Active hours start : Configure hour where the reboot is suppress.
- Active hours end: indicates hour from which the devices is allowed to restart.
- Restart checks : Different checks are performed before restart the device (Battery level is equal to at least 40%, user present, presentation mode.
- Option to pause Windows updates : If this option is enabled, users can pause the installation of updates on his workstation.
- Option to check for Windows updates : If this option is enabled, users can check updates on his workstation.
- Change notification update level : Permit to configure the desired level for the notification.
- Use deadline settings : This settings permit to allow user to use deadline for install updates.
Click on Next after configuring the parameters and select the desired groups. I have created an Azure AD Groups with my Windows 10 devices.
Profile is now been created.