Blog Post

Windows IT Pro Blog
7 MIN READ

Optimize on-premises monthly update delivery using the cloud

AriaUpdated's avatar
AriaUpdated
Icon for Microsoft rankMicrosoft
Jun 23, 2020

Did you know you can leverage Windows Update for Business to receive updates securely from Microsoft and reduce VPN traffic regardless of what tool you are using to manage updates today? In this blog, I'll show you which Group Policies (GPs), Configuration Service Provider (CSP) policies, and upcoming Windows Update for Business Deployment Service (DS) controls can be leveraged by management solutions such as Microsoft Endpoint Configuration Manager and mobile device management (MDM) solutions to ensure that Windows 10 devices in your organization are always up to date with the latest security enhancements and Windows features.

As more organizations and their user base shift to remote work scenarios, we are fielding questions on how to optimize delivery of monthly security updates. Now is the time to take advantage of cloud services to keep remote workers protected and productive. Successfully managing security updates delivered directly through the internet empowers IT to optimize the end user experience while protecting corporate assets. If you are an IT administrator, you have a variety of options available to manage Windows 10 monthly security updates, no matter where you are in your update management journey.

In this post, we'll also discuss the controls for managing update offerings that will allow for reliability and performance testing on a subset of systems before rolling out updates across the organization. This enables you to take advantage of a set of controls and built in mechanisms that leverage knowledge gained from updating millions of devices, to provide a positive update experience for those within your organization while keeping devices secure.

The next section of this guide will break configuration options into three categories:

  1. Traditional management through Windows Server Update Services (WSUS): How to leverage Group Policy via WSUS standalone, Configuration Manager, or other management tools
  2. Co-management: How to coordinate between Configuration Manager and Microsoft Intune
  3. Modern management: How to use Intune or other MDM settings

Depending on where you are in your management journey, you can leverage Windows Update for Business to optimize monthly security updates through the cloud to maximize both end user productivity and update patch compliance. Let’s start by looking at how to go from on-premises pointing to WSUS to pointing to Windows Update using the Windows Update policies.

Start pointing to Windows Update

For those using WSUS including Configuration Manager or WSUS standalone:

If your organization uses a WSUS-connected management tool today, the first step is to point your devices directly at the Windows Update service rather than at your local server. For this to work, you do not want to use a VPN allow list. If you do use a VPN allow list, please see Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager for best practices. For those who are using a WSUS management tool and are not using a VPN allow list, you can start pointing to Windows Update by using the following Group Policies (under the Windows Update node).

If you are an IT administrator using Configuration Manager, we recommend that you point to Windows Update by moving your Windows workload to Intune via co-management (see paths to co-management).

To start pointing to Windows Update using Windows Update for Business policies, you will need to set the following policies:

Type

Policy name

Configure to

GP

 Do not allow update deferral policies to cause scans against Windows Update

Unconfigured or disabled

CSP

 Update/DisableDualScan

0, allow

 



Type

Policy name

Configure to

GP

Do not connect to any Windows Update Intranet locations

Unconfigured or disabled

CSP

Update/AllowUpdateService

1, allow

 

Once you have connected to the Windows Update service, you need to determine which update types that you want devices in your organization to be offered, including Windows 10 feature updates, quality updates, driver updates, and Microsoft product updates. Once you have determined the types of updates which you want to be offered to your devices, you can utilize the controls outlined in the next section to ensure that devices are offered the updates that you want them to receive when you want them to receive them.

Manage offering to get quality updates only

Manage if drivers are offered

Drivers can help ensure that a device is working at its best, but you may want to not offer these to your devices until you feel comfortable using Windows Update for Business to manage your Windows quality updates. To prevent drivers from being offered to the devices, consider setting the following:

Type

Policy name

Configure to

GP

Do not include drivers with Windows Updates

Enabled = no drivers

CSP

Update/ExcludeWUDriversInQualityUpdate

1, exclude

 

Manage when feature updates are offered

Semi-annual Windows 10 feature updates releases provide new experiences, services and enhancements, but we understand that you may not be ready to provide those updates to devices in your organization. Devices can remain on a Windows 10 Feature Update OS version receiving monthly quality updates, which provide bug fixes, reliability improvements and security enhancements so long as the Feature Update is in support. Please see the Windows 10 release information page for details on supported versions.  Depending on which OS version you are using, different settings are available to be configured to get to a predictable and consistent end user update experience. The following tables show the different setting options depending on the OS version of the device.

For devices on Windows 10, version 1903 or greater:

Devices on Windows 10, version 1903 can use deferrals to remain on version 1903. A device using deferrals will update semi-annually to an update that is at least the specified number of deferral days old. For example, if version 1909 was released on November 12th, 2019 then a 1903 device with a 365 day deferral would update on November 11th, 2020 to version 1909. If you want to remain for a longer period of time or move directly from version 1903 to 2004, see the options listed below for devices on Windows 10, version 1803 or greater.

Type

Policy name

Configure to

GP

Select when Preview builds and feature updates are received, defer feature updates

Enable then defer feature updates for 365 days, the device will receive version 1909 when version 1909 is 365 days old in November 2020.

CSP

 Update/DeferFeatureUpdatesPeriodInDays

 

For devices on Windows 10, version 1803 or greater:

If you need your devices to remain on their current feature update beyond when deferrals would allow or until the current OS version reaches end of service, then you should specify a specific version for the device to stay on until end of service or until the policy is changed to a newer Windows 10 feature update.

Type

Policy name

Configure to

Windows Update for Business DS

Windows 10 Feature Updates (Preview)

Specify a specific version (e.g. 1809) to move to and/or stay on until the policy is changed or until end of service.

GP

Select the target Feature Update version

CSP

 Update/TargetReleaseVersion

 

Note: The Windows Update for Business Deployment Service controls are currently in preview with Intune and are the recommended path for customers who are using Microsoft Endpoint Manager.




OR

If you only need to delay feature updates temporarily, you can consider utilizing pause. See the next section for details on how to configure pause.

For devices on Windows 10, version 1709 or below:


Utilizing the Feature Update Pause Start Date policy you can reset the Pause Feature Update start date every 34 days to pause feature updates for as long as you need until your current version reaches end of service. 

Type

Policy name

Configure to

GP

Select when Preview builds and Feature Updates are received, pause Feature Updates starting

Enter a date from which to start pausing update for 35 days (e.g. 2020-06-15).

CSP

Update/PauseFeatureUpdatesStartTime

Ensure patch compliance

The best way to ensure patch compliance is by utilizing compliance deadlines. Compliance deadlines represent a set of policies designed to keep devices secure by ensuring updates are installed within a certain number of days after being offered to the device. Compliance deadlines provide a balance of minimizing end user disruption and achieving update patch compliance goals, keeping end users both protected and productive.

The charts below show how to set the recommended compliance deadline(s) for your current OS version.

For devices on Windows 10, version 1709 or greater:

Type

Policy name

Configure to

GP

Specify deadlines for automatic updates and restarts:

  • Configure Feature Update Deadline
  • Configure Quality Update Deadline
  • Configure Grace Period

Enable this policy. Recommended configuration:

  • Feature update deadline: 7 days
  • Quality update deadline:  3 days
  • Grace period: 2 days

CSP

Update/ConfigureDeadlineForFeatureUpdates

Update/ConfigureDeadlineForQualityUpdates

Update/ConfigureDeadlineGracePeriod

 

 

For devices on Windows 10, version 1703 or lower (as of this post):

Type

Policy name

Configure to

GP

Specify Engaged restart transition and notification schedule for updates

  • Deadline for quality updates
  • Snooze Schedule
  • Transition Schedule

Enable this policy (defaults):

Deadline: 14 days

Snooze: 3 days

Transition: 7 days

CSP

Update/EngagedRestartDeadline

Update/EngagedRestartSnoozeSchedule

Update/EngagedRestartTransitionSchedule

For a best in class experience, do not set any other Windows Update policies. This will ensure a less disruptive end user experience by allowing the device to automatically update outside of active hours when the end user is away. If the deadline is reached, the device will switch to an interactive experience showing multiple notifications to the end user prompting them to schedule the reboots (or reboot now) before finally forcing them to reboot in order to keep the device secure.

Below you can see examples of some of the prompts that end users will see when the recommended deadline policy is configured and other notification policies remain unset. To see the full notification flow, please see Compliance Deadline Notification Flow on Windows Update for Business.

Questions?

If you have any questions concerning this process, please post them below, or check out these pages for more information:

 

Updated Jun 23, 2020
Version 4.0
  • Bishop Brown's avatar
    Bishop Brown
    Copper Contributor

    I'm eager to learn more about this as well. Are there more posts coming? You mention explaining co-management and modern management, but I don't understand those from this post, so I hope there's more. 

  • Thank you for sharing such valuable contents.

    Managing Windows Update deployment is very critical, especially timing to make sure it won't interrupt users while is being done smoothly. 

  • AriaUpdated 

    Hi. Please help me understand the meaning of "optimize" here, because neither of the things you explain seems optimum to me.

    • In the traditional scenario, we deploy one WSUS per site. One WSUS connects to Microsoft and receives all updates once, then as many as infinite number of devices can install it. The Internet bandwidth consumed is equal to number of updates received. Speed of delivery is equal to the speed of the local network.
    • In your recommendation, all devices on the site use the Internet connection. Bandwidth consumed: [Number of devices] × [Number of updates]. Speed of delivery is equal to either the speed of the local network or the speed of the Internet, whichever is slower. (Usually, it is the Internet.)

    In neither of the two cases, VPN traffic is incurred and the first one is orders of magnitude superior to the second one.

    But... you call the second one "optimum". What's your logic here?

  • Thank you The_Smart_One for asking about optimization.  As you have correctly pointed out in your question, VPN traffic speeds may be higher or lower than Internet traffic.  Depending on network configuration, your assertion that VPN is faster may be true.  What I did not detail in the article is the extensive work Microsoft has done on the infrastructure supporting Internet delivery of updates to clients (PC’s).  Over the past 5 years, Microsoft has rearchitected our Windows Update Services and the Servicing stack within the OS to be able to deliver the minimum package needed for the device/machine.  That, in addition to a global network of CDN’s for that Service, result in internet latency is largely minimized to client devices.  We often see VPN network architecture have significant round trip latency when remote workers have a near-by Microsoft CDN for the Windows Update Service much closer. While I won’t go into all of the ways Windows has an optimized delivery, I can tell you that we see considerable benefit to internet-direct connects to the Windows Update Service for remote workers that far outweigh going through corporate VPN services. Perhaps to your question we should call these out in more detail to better clarify the optimizations that connecting to the cloud presents. Again, thank you for your question/feedback! 🙂

  • Bishop Brown thank you for your feedback. I will make note that there is interest in us clarifying co-management and modern management in future posts. 🙂

  • As you have correctly pointed out in your question, VPN traffic speeds may be higher or lower than Internet traffic. Depending on network configuration, your assertion that VPN is faster may be true.

    I certainly pointed out no such thing. I was very careful to stay away from this sore spot. I restricted myself to two scenarios: Internet to end-user, and Internet to WSUS.

    What I did not detail in the article is the extensive work Microsoft has done on the infrastructure supporting Internet delivery of updates to clients (PC’s). Over the past 5 years, Microsoft has rearchitected our Windows Update Services and the Servicing stack within the OS to be able to deliver the minimum package needed for the device/machine.

    And I am sure this "extensive work" represents millions (or even billions) of dollars of expenditure in both implementation and monthly maintenance. (If I was one of the Microsoft's members of the board, I'd ask: Why? What justifies this extravagant expenditure?) Still, it does not justify our migration from the Internet-to-WSUS scenario, to the Internet-to-end-user scenario. This migration multiplies that bandwidth cost by the factor of one hundred (the number of devices). What benefit do I get that justifies this extravagance?

  • noormdm's avatar
    noormdm
    Copper Contributor

    Hi, How can I manage WUFB for the devices which are using on premises internet connections. We do not want on premises devices to go to internet to download the updates.

     

    And how can we manages the devices connected over VPN, which Ideally still uses the on premises interent. Whats the best solution to avoid usage of on premises internet. Please advise.

  • noormdmHi. You use WUfB only when you want to use the Internet connection. When you don't want to use the Internet connection, you deploy Windows Server Update Services (WSUS), and then you tell WUfB not to check for updates while updates are coming from WSUS. (No dual scan.)

     

    Deploying WSUS needs its own articles. But to disable WUfB after you deployed either of the former, you have enable the following group policy:

    • Do not allow update deferral policies to cause scans against Windows Update

    This policy's name is misleading. You need to set it even though you haven't set any deferral policies. It's name should have been "Do not allow scans against Windows Update."