In this post I will discuss upon types of Windows Update for business policy. What are the difference between various policies such as update ring, feature update, quality update and driver update. Even though we can deploy all kinds of updates via Update ring but then why we require additional policies.
Windows Update for Business Policy
WUfB policy is used deploy various kinds of updates for Windows 10 and Windows 11. We can deploy quality updates, feature updates, driver updates and Microsoft updates. We use Microsoft Intune Admin center to deploy Windows Update for Business policy.
Login to Microsoft Intune Admin center and navigate to Devices > Windows. We are able to see four policies related to Windows Update:
- Update rings for Windows 10 and later
- Feature updates for Windows 10 and later
- Quality updates for Windows 10 and later
- Driver updates for Windows 10 and later
Even though update ring policy can deploy all kinds of updates but it doesn’t provide full fledge control of all other features which remaining 3 policies can offer. Update ring only requires a basic Intune license while other policies comes not only with additional license requirement but with few other pre-requisites to meet.
Update rings for Windows 10 and later
Lets talk about first policy that is Update rings for Windows 10 and later. Ithas the capability to install following updates:
- Quality updates
- Feature updates
- Driver updates
- Microsoft product updates
Here the arises is: if Update ring can deploy all the above mentioned types of updates, then why there is a need of feature update / quality update / driver update policy? Are these policy providing the same results with same features.
Let’s discuss in detail.
Once Update ring for Windows 10 and later is deployed, it can deploy various updates as discussed earlier. This update ring is meant to provide the defer period for the quality updates and feature updates so as to control the offering of the updates. Usually updates are released 2nd Tuesday of the month, using defer period allows us to delay the offering for the device.
As seen in the picture below, I have set the Quality update deferral period as 2 days and Feature update deferral period as 0 days. Once the quality update is released on 2nd Tuesday, quality update will only be offered after 2 days. Sameway, feature update (which is typically released once a year), will be offered the same day as we have set the deferral period to 0.
That’s not the only purpose of Update ring. It is combined with user experience as well, which controls the Automatic update behavior including Active start and end hours. But the important section is usage of deadline settings.
This allows Deadline to be set separately for feature updates and quality updates. Deadline enforces the device to install the update once it is offered to the device (after deferral period).
Grace period further complements the deadline to give extra days for the device so as to prevent immediate reboot for the device. You may check the link whole process for Windows update restart behaviour.
So what exactly we are missing with update rings? This looks like a perfect way to deploy the updates. Infact it requires Intune license only.
Let’s look at other update policies, and see what it has to offer different from Update ring.
Feature updates for Windows 10 and later
This policy is only meant to deploy feature update for Windows 10 /11. Usage of this policy comes with following benefits:
- You can freeze the devices with targeted feature update version. This will be upgraded to the specified version will stay on that version only.
- Gradual roll out of feature update. Which allows the date to specify for First group and final group availability and the days between the groups. Targeted devices are divided into multiple groups depending upon the days defined and the days between the group setting. This setting helps for gradually installing the feature update on multiple groups by having gap between the installation between multiple groups.
Feature update policy vs Update ring policy
As you can see the feature update policy has something additional to offer. This feature is not present in Update ring policy. Update ring can’t control availability of update on a specific day, neither it has gradual rollout feature. Update ring also can’t freeze the feature update to a specific version. Devices will get updated to latest released based upon deferral period.
Note: Use feature update policy with update policy. But are required, latter one is needed for user experience. Make sure to provide deferral period of 0 days in update ring policy so as it is not interfering with feature update policy to offer the update.
Feature update policy also comes up with a very good reporting which helps you analyse the results and compliance of the device.
What is required for Feature update policy?
It looks lucrative to go with feature update policy. But hang on, it comes with a specific license requirement and few other settings to be done.
- You need to have additional license for this policy. Intune policy is not sufficient. As this feature relies on Windows Update for Business Deployment service (WUfB-DS), following license covers this WUfB-DS service:
- Windows 10/11 Enterprise E3 or E5
- Windows 10/11 Education A3 or A5
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
- Enable the Telemetry for the device. This can be easily achieved via Device restriction policy. Use Reporting and Telemetry option to set Share usage data with Required option. Navigate to Configuration profiles > select profile type as Templates and select Device restrictions. Under Reporting and telemetry > Share usage data select the value as Required.
- Microsoft Account Sign-in Assistant (wlidsvc) serviceshould be in a position to start. It should not be in disabled state.
Quality updates for Windows 10 and later
This policy is also known as expedite update. The purpose of this policy is to deploy out-of-band updates. When organization is in a need of deploying the update on urgent bases for zero-day vulnerability, they should go with this policy.
Once this policy is targeted, it ignores the deferral period set by update ring policy and installs the latest update which was selected with the policy.
When you create this policy, you have the option to select one of the three latest updates. It also has setting to restart the device which has a maximum value to set as 2 days. With this setting we are enforcing the devices to become compliant at the earliest.
Note: Quality update policy and update ring policy can be used together as both has specific purpose. Quality update policy should not be used to replace update ring policy as it has a specific purpose only. For user experience and other settings, we have to still rely upon update ring policy.
What is required for Quality update policy?
Once again few of the requirements remain same related to license along with few other settings required:
- Intune license is not sufficient for this case as well. WUFB-DS service dependency still exists which requires Windows 10 / 11 enterprise E3 or E5 license. All license requirement is covered with feature update policy above, kindly check it for complete list.
- Microsoft Update health tools should be installed on the device. Locate the folder under c:\Program Files\Microsoft Update Health Tools. You can check Add Remove programs as well for the product.
Driver updates for Windows 10 and later
Though driver updates can be installed via update ring, but this feature takes the driver update experience to next level.
This policy provides additional features such as auto approval of driver updates and manually approving the drive updates. When we create the drive update policy, we can see the two options available:
- Manually approve and deploy driver updates
- Automatically approve all recommended driver updates
By selecting the first option with manually approving, we are having full control on which drivers to select and deploy and which one to ignore.
Report for Windows 10 and later driver updates will further help you drill down which updates got installed along with Update State, Update Substate and other settings.
Note: Update ring is still required for user experience. Don’t block the Windows driver feature in update ring which will cause conflict with driver update policy.
What is required for Dell driver update policy?
- License requirement remains same like feature update and quality update policies. WUfB-DS requires additional Windows 10 license. Check the section above for feature update to get all the details related to license.
- Enable Telemetry – Device restriction policy (configuration profile) requires to have Share usage data set to Required.
It is now clear that Update ring policy can be good for deploy all kinds of updates, but to get more out of the Windows Update for Business policy, you can enhance the experience by using feature update, quality update and driver update policy.
Be ready to invest further with Windows 10 enterprise E3 / E5 license which is the most commonly used license. This license is already part of Microsoft 365 E3 / E5 license. Most cost efficient license for this service is Microsoft 365 Business Premium license which is limited to business with 300 users only.