Event banner
AMA: Managing Windows updates
Event details
Managing updates across an organization doesn’t have to be complicated. Have questions on how to control update offerings and experiences? Want to know the best ways to test on a subset of devices before deploying updates across your organization? Need to balance timely update deployment with a positive update experience for the people in your organization? Bring your questions to this Ask Microsoft Anything (AMA) session!
This session is part of Tech Community Live: Windows edition. |
- -KenDBrass ContributorWhat advice do you have for customers who want to move to newer management methods of windows updates but have complicated "known unknowns". For example, bandwidth issues with VPN split exclude tunnels, and complicated networking which may or may not allow East-West traffic. Previously WSUS/Configmgr you knew Client <-> DP/WSUS and could back off downloads quickly if too many clients started at the same time. What options are there to throttle if networking goes wrong?
- TylerPlesetzMicrosoft
Hello Ken! Today, Delivery Optimization is a solution we have to help offload internet traffic by allowing devices to share update content with each other. Here is some of our docmentation around Delivery Optimization for more: https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization
If DO is unable to meet your needs, we'd love to hear about it!
- Char_CheesmanCommunity Manager
Thanks for participating in today's session of AMA: Managing Windows updates! For reference, the panel covered your question at 15:50.
- lalanc01Iron ContributorAny work is being done to add information to the WUFB DO report? I know that the community is actively creating their own reports with more valuable data to troubleshoot DO or show detailed savings, but it would be great to have it included in WUFB reports Thks
- Char_CheesmanCommunity Manager
Thanks for participating in today's session of AMA: Managing Windows updates! For reference, the panel covered your question at 48:05.
- t3hcrBrass ContributorWe're still heavily an on-prem shop and use WSUS and Group Policies to manage our updates for our workstations. (and servers) Is there anything new with WSUS and related Group Policies that we should be considering? Is there a future still for our approach? Appreciate all the goodness ya'll are moving forward! 😊
- Jason_SandysMicrosoft
Is there a reason you haven't begun looking to Windows cloud native (which includes management with Intune and WUfB/Autopatch). This is effectively the path forward for all orgs (where technically possible). with most/all on-prem solutions within the Microsoft stack being deprioritized.
- t3hcrBrass ContributorManagerial hesitance to move to cloud, but no lack of hesitance by the actual practitioners. 😊 I continue to push things forward as I can. I just hope I can before it's too late. Thanks for answering my question here and on the live AMA!
- Char_CheesmanCommunity Manager
Thanks for participating in today's session of AMA: Managing Windows updates! For reference, the panel covered your question at 25:00.
- RuanITCJBrass ContributorFor Devices in Intune, is there going to be an option to have the device check for updates? There's Update Windows Defender Security Intelligence, but not regular Windows Updates. It would be great to be able to kick off a manual Windows update scan from the device overview.
- Jason_SandysMicrosoftCan you expand on the scenario you are trying to address here? A scan from the Settings app can be initiated by the end user. Is there something else you are looking for here?
- RuanITCJBrass ContributorFor a similar scenario that you'd want to do a Sync, Restart, Update Defender Intelligence. Yes, it should automatically update, synchronize, and do reboot, but this does not always occur. If a device is online yes, we could reach out to the end user. By taking the user out of it we should be able to more quickly force a device to update if it isn't for whatever reason without relying on a user to do it. Device Query looks nice, but without a license for an advanced analytics we can't do it. Not to be difficult or anything but yes most of these things can be done by users or through management, but there's always exceptions and things happen which sometimes require intervention. That's what these tools and actions are for.
- Joe_LurieMicrosoft
RuanITCJ Thanks for the question. If you haven't heard, we are working on a "Device Query" in Intune (much like SCCM's CMPivot) which will allow you to query a device and then take an action. So you can kick off a real-time scan and then update, or reboot, or whatever the action needed is...directly from the Intune admin center. For more information on Device Query, see here: Device query in Microsoft Intune | Microsoft Learn
- swpheonix77Copper ContributorWill there be mechanisms built in top WuFb and autopatch to be able to easily pull a Kb from deployment that causes an unforeseen issue in the environment? we can do it easily in WSUS but have been told this is not easy in these products by design? I know we should be able to test in advance releases but things happen 🙂 in a large broad environment? thanks!
- Char_CheesmanCommunity Manager
Thanks for participating in today's session of AMA: Managing Windows updates! For reference, the panel covered your question at 39:15.
- Jason_SandysMicrosoftAlso, keep in mind here that granular management of updates as was done in WSUS 10+ years ago is more or less an OBE process given the use of monthly cumulative updates; i.e., granular KBs no longer exist to be approved (or declined). For Windows, it's an all or nothing proposition now and has been since Windows was released. You can entirely pause the delivery all quality updates (which is for most intents and purposes) the monthly Windows CU and this is the primary option. If there is a specific "fix" within a CU that is causing you an issue, you can generally disable these using Known-issue rollback: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/known-issue-rollback-helping-you-keep-windows-devices-protected/ba-p/2176831. The bottom-line though is that granular management of updates is a thing of the distant past even in WSUS as the update model itself has changed.
- swpheonix77Copper Contributori appreciate the responses and added guidance to the known issue rollback capabilities. for our admin, the visibility is still much more visible and granular in WSUS (CM) than Intune and WUfB still and hoping it will continue to evolve...as well as the gap in the long awaited driver updates visibility and maturity we are hoping are still coming as promised a year ago. (Impatient...i know:)) We will consider this in decision making and be aware it is only for non-security updates. The updates from July this year that were problematic with Bitlocker would have been an issue that could not be rolled back as i understand it, had a test device sample size not been large enough to determine if it impacted our assets. i also know this scenario is usual rare ...1-2 times per year for us. Is there a link for these roll backs or status that both acknowledges real time when they happen and advising status realtime? thanks again for the information
- owergameCopper ContributorHello there. We've been long time users of previous wufb setup with log analytics. The only thing bothering us since 2019. onwards was that some of the devices weren't able to "self-heal"/reset Windows update service once it's down. There were some of the 0x800xyz errors regarding Windows Update service that could only be resolved by fresh starting the mentioned devices. My question therefore would be, will anything be changed on the OS level to make the service itself more lightweight, more resilient and repairable? Also are there any advantages of going full Windows 11 organizationally wide?
- lalanc01Iron ContributorIs it in the works to devices see that they have feature update to install sooner? Right now it can take multiple hours/days for the devices to see if, but we sometime need to upgrade asap. Right now we need to leverage configmgr or regular setup for those scenarios. Thks
- Dennis LoudonCopper ContributorWill there ever be a path for currently unsupported PC's to go from Windows 10 to Windows 11?
Hi Dennis, I personally doubt this. The requirements on CPU (like fTPM, SSE 4.2) and HW like Secure Boot (Mainboard + CPU + GPU) and drivers (Core Isolation, HVCI) are crucial for today's security and to mitigate modern attack vectors.
- Joe_LurieMicrosoft
Dennis Loudon thanks for the question, and Karl-WE thanks for the correct reply! Today we have no plans to lessen the security requirements which would allow Windows 11 to install on devices that don't have a TPM (or have an older one) or don't support Secure Boot. My recommendation is to make sure these devices are running Windows 10, version 22H2 with the latest security updates, and keep updating it through Oct 14, 2025. As you buy new devices, make sure they are capable of running Windows 11.
- Biyakuga_HigashiriCopper Contributor
Hi Heather Poulsen,
Thank you for inviting me to the Windows Tech Community Live event.
I will do my best to attend. However, if I am unable to join, I would like to submit a question for the developer panel.
Regarding the management of Windows updates, I have encountered challenges, particularly with updating drivers for new computers. Currently, I must visit the motherboard and other device manufacturers' websites to download the latest drivers.
Over time, I have observed that the most recent motherboard drivers are generally safe to update and often enhance system stability by fixing bugs.
Are there any plans to simplify and expedite this process? Specifically, will there be a method to allow users to download the latest drivers directly through Windows Update, eliminating the need to visit multiple manufacturer websites?
Thank you for your attention.
Best regards,
Biyakuga Higashiri- Char_CheesmanCommunity Manager
Thanks for participating in today's session of AMA: Managing Windows updates! For reference, the panel covered your question at 3:30.
- Biyakuga_HigashiriCopper ContributorThank you so much ❤️
- Char_CheesmanCommunity Manager
Welcome to the AMA: Managing Windows updates. Let's get started! Post your questions in the Comments. We'll be answering questions in the live stream and in chat.