Optimize on-premises monthly update delivery using the cloud
Published Jun 23 2020 09:00 AM 25.9K Views
Microsoft

Did you know you can leverage Windows Update for Business to receive updates securely from Microsoft and reduce VPN traffic regardless of what tool you are using to manage updates today? In this blog, I'll show you which Group Policies (GPs), Configuration Service Provider (CSP) policies, and upcoming Windows Update for Business Deployment Service (DS) controls can be leveraged by management solutions such as Microsoft Endpoint Configuration Manager and mobile device management (MDM) solutions to ensure that Windows 10 devices in your organization are always up to date with the latest security enhancements and Windows features.

As more organizations and their user base shift to remote work scenarios, we are fielding questions on how to optimize delivery of monthly security updates. Now is the time to take advantage of cloud services to keep remote workers protected and productive. Successfully managing security updates delivered directly through the internet empowers IT to optimize the end user experience while protecting corporate assets. If you are an IT administrator, you have a variety of options available to manage Windows 10 monthly security updates, no matter where you are in your update management journey.

In this post, we'll also discuss the controls for managing update offerings that will allow for reliability and performance testing on a subset of systems before rolling out updates across the organization. This enables you to take advantage of a set of controls and built in mechanisms that leverage knowledge gained from updating millions of devices, to provide a positive update experience for those within your organization while keeping devices secure.

The next section of this guide will break configuration options into three categories:

  1. Traditional management through Windows Server Update Services (WSUS): How to leverage Group Policy via WSUS standalone, Configuration Manager, or other management tools
  2. Co-management: How to coordinate between Configuration Manager and Microsoft Intune
  3. Modern management: How to use Intune or other MDM settings

Depending on where you are in your management journey, you can leverage Windows Update for Business to optimize monthly security updates through the cloud to maximize both end user productivity and update patch compliance. Let’s start by looking at how to go from on-premises pointing to WSUS to pointing to Windows Update using the Windows Update policies.

Start pointing to Windows Update

For those using WSUS including Configuration Manager or WSUS standalone:

If your organization uses a WSUS-connected management tool today, the first step is to point your devices directly at the Windows Update service rather than at your local server. For this to work, you do not want to use a VPN allow list. If you do use a VPN allow list, please see Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager for best practices. For those who are using a WSUS management tool and are not using a VPN allow list, you can start pointing to Windows Update by using the following Group Policies (under the Windows Update node).

If you are an IT administrator using Configuration Manager, we recommend that you point to Windows Update by moving your Windows workload to Intune via co-management (see paths to co-management).

To start pointing to Windows Update using Windows Update for Business policies, you will need to set the following policies:

Type

Policy name

Configure to

GP

 Do not allow update deferral policies to cause scans against Windows Update

Unconfigured or disabled

CSP

 Update/DisableDualScan

0, allow

 

01_do-not-allow-update-deferral-policies.png

Type

Policy name

Configure to

GP

Do not connect to any Windows Update Intranet locations

Unconfigured or disabled

CSP

Update/AllowUpdateService

1, allow

 

02_do-not-connect.png

Once you have connected to the Windows Update service, you need to determine which update types that you want devices in your organization to be offered, including Windows 10 feature updates, quality updates, driver updates, and Microsoft product updates. Once you have determined the types of updates which you want to be offered to your devices, you can utilize the controls outlined in the next section to ensure that devices are offered the updates that you want them to receive when you want them to receive them.

Manage offering to get quality updates only

Manage if drivers are offered

Drivers can help ensure that a device is working at its best, but you may want to not offer these to your devices until you feel comfortable using Windows Update for Business to manage your Windows quality updates. To prevent drivers from being offered to the devices, consider setting the following:

Type

Policy name

Configure to

GP

Do not include drivers with Windows Updates

Enabled = no drivers

CSP

Update/ExcludeWUDriversInQualityUpdate

1, exclude

 

03_create-windows-10-update-ring.png

Manage when feature updates are offered

Semi-annual Windows 10 feature updates releases provide new experiences, services and enhancements, but we understand that you may not be ready to provide those updates to devices in your organization. Devices can remain on a Windows 10 Feature Update OS version receiving monthly quality updates, which provide bug fixes, reliability improvements and security enhancements so long as the Feature Update is in support. Please see the Windows 10 release information page for details on supported versions.  Depending on which OS version you are using, different settings are available to be configured to get to a predictable and consistent end user update experience. The following tables show the different setting options depending on the OS version of the device.

For devices on Windows 10, version 1903 or greater:

Devices on Windows 10, version 1903 can use deferrals to remain on version 1903. A device using deferrals will update semi-annually to an update that is at least the specified number of deferral days old. For example, if version 1909 was released on November 12th, 2019 then a 1903 device with a 365 day deferral would update on November 11th, 2020 to version 1909. If you want to remain for a longer period of time or move directly from version 1903 to 2004, see the options listed below for devices on Windows 10, version 1803 or greater.

Type

Policy name

Configure to

GP

Select when Preview builds and feature updates are received, defer feature updates

Enable then defer feature updates for 365 days, the device will receive version 1909 when version 1909 is 365 days old in November 2020.

CSP

 Update/DeferFeatureUpdatesPeriodInDays

 

03_intune-deferrals.png

For devices on Windows 10, version 1803 or greater:

If you need your devices to remain on their current feature update beyond when deferrals would allow or until the current OS version reaches end of service, then you should specify a specific version for the device to stay on until end of service or until the policy is changed to a newer Windows 10 feature update.

Type

Policy name

Configure to

Windows Update for Business DS

Windows 10 Feature Updates (Preview)

Specify a specific version (e.g. 1809) to move to and/or stay on until the policy is changed or until end of service.

GP

Select the target Feature Update version

CSP

 Update/TargetReleaseVersion

 

Note: The Windows Update for Business Deployment Service controls are currently in preview with Intune and are the recommended path for customers who are using Microsoft Endpoint Manager.


04_intune-feature-update-to-deploy.png

OR

If you only need to delay feature updates temporarily, you can consider utilizing pause. See the next section for details on how to configure pause.

For devices on Windows 10, version 1709 or below:


Utilizing the Feature Update Pause Start Date policy you can reset the Pause Feature Update start date every 34 days to pause feature updates for as long as you need until your current version reaches end of service. 

Type

Policy name

Configure to

GP

Select when Preview builds and Feature Updates are received, pause Feature Updates starting

Enter a date from which to start pausing update for 35 days (e.g. 2020-06-15).

CSP

Update/PauseFeatureUpdatesStartTime

Ensure patch compliance

The best way to ensure patch compliance is by utilizing compliance deadlines. Compliance deadlines represent a set of policies designed to keep devices secure by ensuring updates are installed within a certain number of days after being offered to the device. Compliance deadlines provide a balance of minimizing end user disruption and achieving update patch compliance goals, keeping end users both protected and productive.

The charts below show how to set the recommended compliance deadline(s) for your current OS version.

For devices on Windows 10, version 1709 or greater:

Type

Policy name

Configure to

GP

Specify deadlines for automatic updates and restarts:

  • Configure Feature Update Deadline
  • Configure Quality Update Deadline
  • Configure Grace Period

Enable this policy. Recommended configuration:

  • Feature update deadline: 7 days
  • Quality update deadline:  3 days
  • Grace period: 2 days

CSP

Update/ConfigureDeadlineForFeatureUpdates

Update/ConfigureDeadlineForQualityUpdates

Update/ConfigureDeadlineGracePeriod

 

05_specify-deadlines.png

 

06_intune-deadline-settings.png

For devices on Windows 10, version 1703 or lower (as of this post):

Type

Policy name

Configure to

GP

Specify Engaged restart transition and notification schedule for updates

  • Deadline for quality updates
  • Snooze Schedule
  • Transition Schedule

Enable this policy (defaults):

Deadline: 14 days

Snooze: 3 days

Transition: 7 days

CSP

Update/EngagedRestartDeadline

Update/EngagedRestartSnoozeSchedule

Update/EngagedRestartTransitionSchedule

For a best in class experience, do not set any other Windows Update policies. This will ensure a less disruptive end user experience by allowing the device to automatically update outside of active hours when the end user is away. If the deadline is reached, the device will switch to an interactive experience showing multiple notifications to the end user prompting them to schedule the reboots (or reboot now) before finally forcing them to reboot in order to keep the device secure.

Below you can see examples of some of the prompts that end users will see when the recommended deadline policy is configured and other notification policies remain unset. To see the full notification flow, please see Compliance Deadline Notification Flow on Windows Update for Business.

07_user-experience.PNG

Questions?

If you have any questions concerning this process, please post them below, or check out these pages for more information:

 

9 Comments
Version history
Last update:
‎Jun 23 2020 09:24 AM
Updated by: