During a global public health crisis in which working remotely has become the new normal, managing the Windows 10 operating system helps ensure remote users stay safe, secure, and productive. One of the most important issues is how best to configure a management approach for Windows 10 updates that will protect endpoints without adversely impacting device performance or user productivity.
Here, we will focus on options for delivering feature and quality updates to remote worker endpoints, how to configure those endpoints to receive updates you designate as important, and how to maintain a desired level of control—all while minimizing infrastructure impact.
Update types
To help ensure device compliance and user productivity, Microsoft sends different types of updates including:
- Quality updates. These monthly updates include bug fixes and security enhancements. Because quality updates are cumulative and don’t require a complete reinstallation, the packages are smaller, and they download and install quickly.
- Feature updates. These twice-yearly updates include new features and significant enhancements to the Windows operating system. Feature updates are essentially a new version of Windows 10, and as such they require a complete reinstallation. While they are larger in size than quality updates, the only files downloaded are those necessary to complete the update, so staying current with updates has advantages.
- Device driver updates. These small pieces of software are the updates made to the device drivers by original equipment manufacturer (OEM) vendors. Microsoft Update is used as a channel for distributing these updates.
- Microsoft Defender definition updates. These updates include current threat information for Microsoft Defender.
To support remote worker scenarios, we recommend that remote endpoints obtain approved updates via the internet. In such cases, split-tunnel VPN can help reduce traffic.
For delivery of Windows 10 updates, there are three primary mechanisms to consider: Windows Update, Windows Update for Business, and Microsoft Endpoint Configuration Manager. Each mechanism has different benefits and limitations that you will need to assess to make the best selection for your specific scenarios. We will look at each of these mechanisms in more detail, but the basic comparison in the table below provides our starting point.
|
Update mechanism |
IT pro control |
Update delivery |
|
Windows Update |
Low |
Internet |
|
Windows Update for Business |
Medium |
Internet |
|
Microsoft Endpoint Configuration Manager |
High |
On premises/Internet |
Windows Update
Windows Update is a Microsoft service for Windows operating systems that automates the download and installation of updates over the internet. Windows Update provides update files for the Windows operating system, device drivers, and other products such as Microsoft Defender. While Windows Update is primarily used for feature and quality updates for consumer devices, given its effectiveness and global scale, many enterprise customers use Windows Update as the update mechanism for their devices. For the remote worker scenario, it’s the most cost effective. However, it provides the least management control for IT pros.
To allow end users to update the endpoint using Windows Update policy through the Computer Configuration\Policies\Administrative Templates\Windows Update pathway, select either Not Configured (default setting) or Disabled under “Do not connect to any Windows Update Internet locations.”
Quality updates
There are several control options in Windows Update for quality updates. Options on the Windows Update agent include checking for quality updates, pausing them, setting active hours, viewing update history, and advanced options, as shown below.
After selecting Check for updates, the status of update downloads and installation is shown on the Windows Update agent.
When you select Pause updates, update installation is paused for seven days by default. It is also possible to change the timeframe for the pause by selecting Advanced options and entering the necessary information.
To avoid possible disruption caused by updates, you can set active hours for devices. Windows can also determine active hours automatically based on activity.
Under Advanced options, there are additional settings related to update delivery. Along with pause timing mentioned above, advanced options include preferences for receiving updates for other Microsoft products, using metered connections such as 3G or LTE for downloading updates, and defining restart actions and notifications to complete updates.
Feature updates
Windows Update provides limited control over twice-yearly feature updates. Each endpoint should be configured to be in the Semi-Annual Channel by the end user. However, for Windows Update to be the active mechanism for updates, there should not be a policy or configuration in place for deferral branch, days, or pausing updates.
If these policies are configured, devices are considered to be using Windows Update for Business, which we will discuss more in the next section.
Update deferral can be configured from Advanced options by designating the number of days a feature update is deferred, as shown below.
Windows Update for Business
Windows Update for Business is the same Windows Update service described above but with one key differentiator: devices are managed and configured through centralized policies. This gives the IT pro more granular management capabilities, including deferral of feature updates for up to 365 days. Based on direct customer feedback, Microsoft continues to invest in new capabilities and features to make Windows Update for Business an enterprise friendly solution from a granular management perspective.
Windows Update for Business can be configured using several different options. Among them are Active Directory Group Policy Objects, Microsoft Intune, and Microsoft Endpoint Configuration Manager.
Group Policy Objects
IT pros can manage Windows Update for Business using Group Policy Objects in Active Directory. Windows Update for Business policy objects are found through the Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Windows Update for Business pathway.
Different policies are used to defer quality updates and feature updates.
The “Select when Preview Builds and Feature Updates are received” policy defines the update channel and deferral period for preview builds and feature updates, as shown below.
Similarly, the “Select when Quality Updates are received” policy is used to determine options for when quality updates will be received.
Windows Insider Program for Business
Companies can also manage joining Windows Insider Program through the “Manage preview builds” policy.
Microsoft Endpoint Configuration Manager
Configuration Manager is another option for creating and deploying Windows Update for Business policies. Under Software Library\Overview, you’ll find the Windows 10 Servicing node, where servicing plans and updates for Windows 10 can be managed. The Windows Update for Business Policies console is also located in this node.
You can create new Windows Update for Business policies by using the task in the ribbon or via the Software Library tree by locating Windows Update for Business Policies and right-clicking to select “Create Windows Update for Business Policy Wizard.”
In the wizard, your first step is to specify a name and description for the policy.
You can then set deferral policies for feature updates and quality updates. You can also opt to install updates for other Microsoft products and whether to include drivers with Windows Update.
After you create policies for Windows Update for Business, they can be deployed to the collections within the Configuration Manager environment just like any other policy.
While deploying the update, the endpoint will be configured during maintenance windows unless you select “Allow remediation outside the maintenance window” in the Deploy Windows Update for Business Policy wizard.
The deployed policy is listed in the Configurations tab of the Configuration Manager client agent. The device will be evaluated and remediated according to the deployment configuration for the policy.
Microsoft Intune
Windows Update for Business also can be managed through Microsoft Intune without any on-premises infrastructure components. Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). Intune integrates with Microsoft Azure Active Directory, and it can be used as a stand-alone cloud service or for co-management with Configuration Manager.
You can configure updates and create Windows 10 update deployment rings through the Software updates node in the Microsoft Intune dashboard. In Intune, creating update rings is a four-step process. In Step 1: Basics, you will name the ring and provide a description.
After naming the ring, you will move to Step 2: Update ring settings, where you will configure the servicing channel, whether to include updates for other products and drivers, and, importantly, deferral settings for quality and feature updates.
You can also manage the user experience by defining active hours, restart checks, the ability to pause updates, and automatic update behavior settings.
After the update ring settings are configured, you will move to Step 3: Assignments, where you assign the ring to a group of devices. In Step 4, you will review and apply the update ring settings you have created.
When users review Windows Update settings from a managed device, they will see clear indication that some settings are managed by the organization. Users can also view policies for optional and required updates.
When users select View configured update policies from the Windows Update settings screen, they can review details for the update policies that are applied to the mobile device.
As shown in the list above, some of the many policies administrators can define for Windows Update for Business include “Branch readiness level,” “Quality update deferral period,” and “Feature update deferral period.”
Microsoft Endpoint Configuration Manager
Microsoft Endpoint Configuration Manager provides the greatest control and flexibility over servicing Windows. Administrators can approve which updates are distributed, which set of devices they should be distributed to, and when these updates should be deployed.
It is possible to extend the Microsoft Endpoint Configuration Manager environment to support remote worker scenarios using granular controls through cloud services such as Cloud Attached Management and Co-Management.
Let’s dig deeper into the different options and components for Configuration Manager and cloud services management scenarios.
Cloud management gateway and cloud distribution points.
The cloud management gateway (CMG) and cloud distribution points (CDPs) extend Configuration Manager capabilities for internet-based devices. To learn more, see Plan for the cloud management gateway in Configuration Manager.
When managing remote machines, it is important to configure a split-tunnel VPN and Configuration Manager. For more information, see Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager.
A CMG can be managed through the Administration\Overview\Cloud Services path in the Configuration Manager dashboard.
You will find the list of content files for internet-based distribution points and endpoints in Properties, under the Content tab.
A CMG is listed as a regular distribution point (DP) in the Configuration Manager hierarchy. IT pros can use a CMG and CDPs to deploy apps and other content to remote endpoints just as you would to deploy content for on-premises clients using on-premises DPs.
Although a CMG does not block copying of update content, deployment of updates through a CMG is not recommended. Instead, internet-based clients get their updates from Microsoft Update cloud service as documented here.
A CMG and CDPs can also be used to execute task sequences in remote endpoints.
Content is distributed to CDPs and task sequences are deployed to a collection of remote devices just as they are for on-premises managed clients.
Co-management
When co-management is enabled in Configuration Manager, you can manage workloads for an endpoint by configuring different authorities. Co-management is located through the Administration\Overview\Cloud Services pathway in Configuration Manager.
You will designate policies and configurations settings in the Workload tab for co-management properties. For example, in the screenshot below you can see that Windows Update policies are managed by Configuration Manager, so IT needs to review, approve, and distribute the updates to the distribution points in the Endpoint Manager hierarchy. IT can shift management of these policies to Intune by using the slider.
Summary
During these extraordinary times in which many organizations have embraced digital transformation in order position themselves with modern and cloud management, Microsoft is dedicated to helping businesses of all sizes succeed. The global pandemic has forced many organizations to embrace new solutions and endpoint management approaches in order to keep remote workers safe, secure, and productive while maintaining compliance with company policies. Microsoft will continue to evolve endpoint management solutions to address challenges IT pros experience, simplify processes, and ensure success.
Additional resources
For more details on how Windows Update works with different types of updates, see Get started with Windows Update.
For more information on split-tunnel VPN, see how to quickly optimize Office 365 traffic for remote staff & reduce the load on your infrastructure.
You can check your network configuration using the Office 365 Network Onboarding tool to validate split tunnel configuration.
To learn more about Windows Update for Business, visit What is Windows Update for Business?
For more about optimizing Windows Update, see Optimize Windows monthly update deployment for remote devices.
For more information on deploying Windows 10 remotely, see Deploying a new version of Windows 10 in a remote world.
For more on managing quality updates and Patch Tuesday, visit Managing Patch Tuesday with Configuration Manager in a remote work world.
