You may have seen the option to use Windows Update for Business and wondering what it brings to the table when compared to WSUS and SCCM. Windows Update for Business (WUfB) is a good way of simplifying and automating the deployment of Windows Updates without using any on-premises infrastructure. The downside is that you do loose some control, but the benefits outweigh the drawbacks. As I always say, it does depend on your infrastructure and environment though. The biggest aspect of control that you lose is the ability to completely block an update. In WSUS you can just decline it and it will never deploy, but with Windows Update for Business you can only defer (delay) updates. The benefits of using Windows Update for Business are:
- No need to manage the approval of individual updates.
- You don’t need to dedicate infrastructure to running Windows Server Update Services (WSUS).
- You can receive driver and other updates, without dedicating infrastructure to it – managing driver updates with WSUS is difficult and usually not recommended.
- It simplifies configuration of client devices receiving updates.
Creating a Group Policy Object
To get started using Windows Update for Business, we’re going to create a Group Policy to test it out and use an Active Directory group to limit the devices we move over to WUfB.
Create a new GPO called: WUfB_Test Below I’ll list the settings to configure in the GPO and what effect they have.
Computer Configuration/Policies/Administrative Templates/Windows Components/Delivery Optimization
Download Mode - Enabled
Download Mode: LAN (1)
Explanation: This will enable your clients to provide updates to other clients on the local area network. This will help prevent all client devices from going to the internet to retrieve updates and saving on bandwidth usage.
Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Update
Configure Automatic Updates - Enabled
Configure automatic updating: 4 - Auto download and schedule the install
Install during automatic maintenance: Un-checked
Scheduled install day: 0 - Every day
Scheduled install time: 03:00
Every week: Checked
Install updates for other Microsoft products: Un-checked
Turn off auto-restart for updates during active hours - Enabled
Active Hours Start: 8am Active Hours End: 5pm
Explanation: With the settings above Windows will download and install updates automatically without user intervention. If an update requires a restart Windows will not do so during the active hours set.
Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Update/Windows Update for Business
Manage preview builds - Enabled
Set the behaviour for receiving preview builds: Disable preview builds
Explanation: These settings prevent the preview builds of Windows 10 from installing.
If you do want a collection of devices that install the Insider preview builds of Windows 10 for testing in your organisation, then you should create another GPO for that.
Select when Preview Builds and Feature Updates are received - Enabled
Select the Windows readiness level for the updates you want to receive: Semi-Annual Channel
After a Preview Build or Feature Update is released, defer receiving it for this many days: 365
Pause Preview Builds or Feature Updates starting: leave blank
Explanation: This is where you select the update channel, which at this point in time only really matters if you are deploying preview Insider builds of Windows 10. There does appear to be a bug in the Group Policy Management console where it reports the channel as always being ‘Semi-Annual Channel (Targeted) for 1809 and below (Deprecated)’. The settings above will prevent Windows 10 from downloading and installing any of the major feature updates for one year. For example, when running Windows 10 v1903, it will not download the update to Windows 10 v1909 for one year (365 days).
Select when Quality Updates are received - Enabled
After a quality update is released, defer receiving it for this many days: 7
Pause Quality Updates starting: leave blank
Explanation: These settings control when the quality updates can be installed. The quality updates are the monthly updates released for Windows 10. You may want to defer these for a week or two just in case there are any issues with them.
Now we’re going to use an Active Directory group ensure that this GPO only applies to the clients we want it to.
- Create a group in Active Directory called: WUfB_Test.
- Add in the computer accounts you want to use to test Windows Update for Business.
- Using Group Policy Management, go to Group Policy Objects > WUfB_Test.
- Click on the GPO and select the Scope tab in the larger right-hand pane
- Under the Security Filtering section, remove the Authenticated Users group and add the WUfB_Test group.
All we need to do now is link the GPO to an OU that contains the devices we want to test WUfB with.
Final Thoughts and Recommendations
Something I haven’t covered in this post is how to get telemetry on the status of updates across the devices in your organisation and that’s because to be honest, I haven’t been able to get it working yet. According to Microsoft’s documentation, it is available via a free service in Azure, but I haven’t been able to find it yet let alone enable it. I’ll keep you posted. There are two Group Policy settings that don’t appear to have any effect on Windows 10 or Windows Server 2016+ devices. If your experience if different, please let me and others know in the comments.
Install updates for other Microsoft products - This used to effect Windows 7 and possibly Windows 8, but these days it doesn’t appear to do anything. It may take some effect on older or slightly obscure pieces of software, however.
Install during automatic maintenance - This setting only appears to take effect on Windows Server 2012 R2 devices. As I mentioned earlier in the post, I would suggest that depending on your environment you might want to set up a couple of different GPOs so you could have a testing group and then a production group for updates. You could also configure a GPO to enable the deployment of Windows Insider builds within your organisation to test software as well as deployment. You could also use WUfB for servers as well. WSUS was first released during the Windows XP and Windows Server 2003 timeframe and back then it was a godsend. Over the years as Windows has changed, WSUS has had more and more added to it and these days it feels very much like part of the legacy and on-prem suite of products that aren’t going to get any updates in future. We can debate on whether this is a good thing or not in the comments section and on Twitter, but hopefully this post helps bring awareness to Windows Update for Business and how you might be able to use it.
I hope you found this post useful in some way, please consider supporting my future work by checking out my Patreon where you can get early access, exclusive content and receive other benefits by supporting me for as little as $2 a month. If you would prefer to make a one-time donation then please use PayPal, or Ko-fi. If you are unable or prefer not to use either of those methods, no problem - sharing my work and following me on social media is a huge help. Thanks!