In this post, we will go through and understand the concept of Windows Update for Business. Before configuring anything we need to understand why we need to configure Windows Update for Business while we already have Configuration Manager along with Windows Server Update Services (WSUS) setup as a Software Update Point role installed in our environment and what will be the impact and the reason for its implementation. I will be discussing on difference between WUfB vs WSUS.
WUfB will keep Windows 10 / 11 devices up to date with latest updates while connecting the device directly to Windows Update service.
- Overview – Windows Update for Business (WUfB)
- Supported Configuration of Windows Update for Business
- Updates you can control with Windows Update for Business
- Difference between Windows Update for Business and WSUS
- What are the settings we can control with Windows Update for Business
- Expedite Feature updates / Quality updates setting – WufB
- Different ways of implementing Windows Update for Business
Overview – Windows Update for Business (WUfB)
Windows Update for Business is the modern way of deploying the Software Updates in the organisation. It allows you to configure various rings & settings which controls the overall behaviour of how you wanted to apply the updates.
Specific benefit of implementing WUfB is, there is minimal efforts required to configure it. This comes as a huge advantage for small organizations where you wanted to deploy all patches to devices irrespective of having dependency on WSUS / Configuration Manager where you need to approve the updates manually. With SCCM, you have to deploy patches which are showing as required. But with WUfB configured all patches will be deployed and targeted, it does not give any option of selecting a specific patch.
Hence, once configured with WUfB policies, all patches will be downloaded from Microsoft Windows Update site. You can utilize the configuration in such a manner so that devices will start getting the updates in through various waves, this can be configured through implementing rings which can be implemented through Update rings (if you are using Intune MDM authority), though there are multiple ways to achieve this, not just with Intune
Supported Configuration of Windows Update for Business
Windows Update for Business is not supported for all kind of devices, only premium editions are supported. WUfB is supported for Windows 10 and Windows 11 devices, only following editions of operating system is supported:
Windows 10 Pro
Windows 10 Enterprise
Windows 10 Pro for Workstations
Windows 10 Education
Windows 11 Pro
Windows 11 Enterprise
Windows 11 Pro for Workstations
Windows 11 Education
Updates you can control with Windows Update for Business
Following are the kind of updates which can be supported with WUfB policies:
- Features update:
- Quality updates
- Driver updates
- Microsoft product updates
Difference between Windows Update for Business and WSUS
We need to understand the difference between WUfB vs WSUS configuration.
WSUS: This gives the organization full control over deploying the patches. WSUS will store all the metadata manually on the server, and we can manually approve the updates based upon what we need to deploy. Hence, it gives a granular level control of what patches we need to deploy and what not. This comes with a benefit that, we can wait for a longer time to deploy the patches or even not deploy any specific patch if we know it can cause problem with any specific application or the recent update might have caused some issues. Windows Server Update Services contacts the Microsoft Update and downloads the update locally and all user gets the update from WSUS Server.
As we discussed on benefits, lets talk about cons. WSUS configuration comes with additional overhead for managing the WSUS server and approving the patches manually. This kind of configuration is not automated.
Windows Update for Business: WUfB gives the benefit of deploying the patches in much more controlled manner. WUfB gives the flexibility for devices to directly contact Windows Update to download the patches. Once the policies are in place, updates will be deployed automatically. One of the benefits with WUfB configuration is that no patches will be missed, however it might break / cause issue on few devices if not tested thoroughly. To overcome this situation WUfB can be deployed using various rings so as you can start deploying in multiple phases to have enough time if issue arises for small number of pilot devices. We can also control deferral period, pause the updates and other settings. For small organizations it is easy to configure and implement while WSUS / Configuration Manager configuration is meant for bigger organization. Though modern management prefers going with Windows Update for Business.
What are the settings we can control with Windows Update for Business
We can control various settings using WUfB. We can:
- Defer an update : We can defer the update for a specific period of time which comes handy if we need more time to test the updates. There are different Maximum deferral period for various categories:
Feature updates : 365 days (Maximum deferral period)
Quality updates : 30 days (Maximum deferral period)
We can see this setting under Microsoft Endpoint Manager admin center, Home > Devices > Update rings for Windows 10 and later > Create Profile. Under Update
settings we have options:
Quality update deferral period (days)
Feature update deferral period (days)
- Pause an update : IT administrator also have the option to pause the update whether it is feature update or quality update. You can pause the update for upto 35 days from a specified date.
Navigate to Update rings for Windows 10 and later > Overview, under Pause we see Feature & Quality. Once done, devices which have been targeted with this setting will not get the updates for 35 days with message:
Quality updates have been paused for Win10. Days remaining: 35.
After 35 days, selected update will resume. If you need more time for testing and wanted extra period of time to pause it, click on Extend and select Quality / Feature which will again add 35 days starting from current date.
These settings can be achieved through Group Policy (GPO) and SCCM WUfB integration as well.
- End-user experience control for Windows Update :
We can control a lot of other settings such as Update settings & User experience settings:
- Servicing Channel: There are multiple options available to select under Update ring settings
Semi-Annual Channel (Targeted) for 1809 and below
Windows Insider – Fast
Windows Insider – Slow
Windows Insider – Release Preview
For production environment, Semi-Annual Channel is recommended.
- Microsoft Product Updates : Allow / Block
- Windows drivers : Allow / Block
- Automatic update behavior:
Auto install at maintenance time
Auto install and restart at maintenance time
Auto install and restart at a scheduled time
Auto install and reboot without end-user control
Reset to default
- Active hours start
- Active hours end
- Restart Checks : Allow / Skip
- Option to pause Windows updates : Enable / Disable
- Option to check for Windows updates: Enable / Disable
- Require user approval to dismiss restart notification: Yes / No
- Remind user prior to required auto-restart with dismissible reminder (hours) : 2,4,8,12 or 24
- Remind user prior to required auto-restart with permanent reminder (minutes) : 15,30 or 60
- Use deadline settings : Allow / Not configured
- Deadline for feature updates : Between 2 and 30
- Deadline for quality updates : Between 2 and 30
- Grace period : Between 0 and 7
- Auto reboot before deadline
We can see there are lots of option we can configure based upon organizations requirement and can change the overall user experience for deploying the patches. Update rings will act as a policy for devices which will set the configuration only.
Expedite Feature updates / Quality updates setting – WufB
Update ring specified above will be sufficient to deploy the updates. However, you want to expedite the updates, such as some critical security patch released which needs to be deployed as soon as possible. We don’t wanted to rely upon Update ring which might cause some delay based upon the settings we have specified. For this sepcific purpose we can use:
- Quality updates for Windows 10 and later (Preview)
- Feature updates for Windows 10 and later (Preview)
Navigate to Home > Devices > Feature updates for Windows 10 and later (Preview) and Create Profile.
We have the option Feature update to deploy under Feature deployment settings, this will show only supported OS at the time of deployment such as (at the time of this post):
Windows 10, version 21H1
Windows 10, version 20H2
Windows 10, version 2004
Windows 10, version 1909
For Quality updates, navigate to Quality updates for Windows 10 and later (Preview) > Create Profile
Under settings we have the option:
Expedite installation of quality updates if device OS version less than:
10/12/2021 – 2021.10 B Security Updates for Windows 10
09/16/2021 – 2021.09 B Security Updates for Windows 10
09/14/2021 – 2021.09 B Security Updates for Windows 10
Note: It only shows those updates which you can expedite, you cannot expedite the Optional windows quality updates. Letter B indicates patch Tuesday, which means the patch was released on secondary Tuesday of the month
Number of days to wait before restart is enforced : 0 days / 1 day / 2 days
Windows Update for Business can utilise the Delivery Optimization feature so as the patches downloaded on the devices can be shared among the peers on the same network.
This can be achieved by creating Configuration profiles.
Navigate to Home > Devices > Configuration profiles, select Platform as Windows 10 and later and Profile type Templates. Select the template as Delivery Optimization. This option itself is a very lengthy topic to explore with so many other options to be specified.
Different ways of implementing Windows Update for Business
Intune is not the only option to implement WUfB policies, but there are lots of other ways to implement it. Microsoft Intune is one of the MDM Authority which is a cloud solution to implement WUfB policies, you can go with any other MDM authority as well. Following are the available options to implement WUfB:
Implement WUfB using Intune MDM Authority:
As discussed earlier, Intune is one of the way to implement WUfB policies utilising Update rings for Windows 10 and later along with:
Feature updates for Windows 10 and later (Preview)
Quality updates for Windows 10 and later (Preview)
Implement WUfB using Group Policy
There are whole lot of options available for Windows Update for Business policy using GPO. Edit any policy, under Group Policy Management Editor navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage Updates offered from Windows Update
Following options are available:
- Select when Preview Builds and Feature Updates are received
- Select when Quality Updates are received
- Disable safeguards for Feature Updates
- Do not include drivers with Windows Updates
- Manage preview builds
- Select the target Feature Update version
Implement WUfB using Configuration Manager
Using Configuration Manager also you can configure the WUfB policies, there are few prerequisites for this to achieve such as disabling Software Update policies so that clients are not contacting local WSUS server.
Under Configuration Manager, navigate to \Software Library\Overview\Windows Servicing\Windows Update for Business Policies to create the policy and deploy it.
There are few other things also to be taken into consideration such as Windows update access shouldn’t be blocked. Check online for update from Microsoft Update should not be blocked
I hope you would be clear with Windows Update for Business configuration which is a modern management of managing the device when it comes to deploying software update patches and keeping the device current.