Walkthrough: Use Group Policy to configure Windows Update for Business

  • Commodity
  • 11 minutes to read

Applies to

  • Windows x
  • Windows 11

Looking for consumer information? Come across Windows Update: FAQ

Overview

Y'all tin use Group Policy through the Group Policy Direction Panel (GPMC) to control how Windows Update for Business works. Y'all should consider and devise a deployment strategy for updates before y'all brand changes to the Windows Update for Business concern settings. See Prepare servicing strategy for Windows client updates for more data.

An It administrator can set policies for Windows Update for Business by using Group Policy, or they tin can be set locally (per device). All of the relevant policies are under the path Reckoner configuration > Administrative Templates > Windows Components > Windows Update.

To manage updates with Windows Update for Business every bit described in this article, you should prepare with these steps, if yous haven't already:

  • Create Active Directory security groups that align with the deployment rings you utilize to stage deployment of updates.
  • Allow access to the Windows Update service.
  • Download and install ADMX templates appropriate to your Windows 10 version. For more information, see How to create and manage the Primal Store for Group Policy Administrative Templates in Windows and Step-Past-Step: Managing Windows 10 with Administrative templates.

Set upwardly Windows Update for Business

In this example, one security group is used to manage updates. Typically we would recommend having at least iii rings (early on testers for pre-release builds, wide deployment for releases, critical devices for mature releases) to deploy.

Follow these steps on a device running the Remote Server Administration Tools or on a domain controller:

Prepare up a ring

  1. Start Group Policy Management Console (gpmc.msc).

  2. Expand **Forest > Domains > <your domain>.

  3. Right-click <your domain> and select Create a GPO in this domain and link it here.

  4. In the New GPO dialog box, enter Windows Update for Business concern - Group 1 as the name of the new Group Policy Object.

  5. Right-click the "Windows Update for Business - Grouping 1" object, and then select Edit.

  6. In the Group Policy Direction Editor, become to Reckoner Configuration > Policies > Administrative Templates > Windows Components > Windows Update. Y'all are now ready to start assigning policies to this band (group) of devices.

Manage Windows Update offerings

You lot can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain catamenia of time.

Determine which updates you desire offered to your devices

Both characteristic and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether yous want the devices to additionally receive other Microsoft Updates or drivers that are applicative to that device.

To enable Microsoft Updates use the Group Policy Management Console go to Reckoner Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates and select Install updates for other Microsoft products.

Drivers are automatically enabled because they are beneficial to device systems. Nosotros recommend that you lot let the driver policy to allow drivers to update on devices (the default), only yous can plough this setting off if yous prefer to manage drivers manually. If y'all want to disable commuter updates for some reason, employ the Group Policy Direction Console to become to Calculator Configuration > Administrative Templates > Windows Components > Windows Update > Practice not include drivers with Windows Updates and enable the policy.

We also recommend that you allow Microsoft product updates as discussed previously.

Fix when devices receive feature and quality updates

I want to receive pre-release versions of the next characteristic update

  1. Ensure that y'all are enrolled in the Windows Insider Program for Business. This is a completely gratuitous program available to commercial customers to aid them in their validation of feature updates before they are released. Joining the program enables you to receive updates prior to their release too as receive emails and content related to what is coming in the next updates.

  2. Apply Grouping Policy Direction Panel to go to: Reckoner Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Manage preview builds and set the policy to Enable preview builds for any of exam devices you desire to install pre-release builds.

  3. Use Grouping Policy Direction Console to go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and characteristic updates are received. In the Options pane, use the pulldown card to select 1 of the preview builds. We recomment Windows Insider Program Slow for commercial customers using pre-release builds for validation.

  4. Select OK.

I want to manage which released feature update my devices receive

A Windows Update for Business ambassador can defer or interruption updates. You can defer characteristic updates for up to 365 days and defer quality updates for upwards to 30 days. Deferring simply means that you will non receive the update until information technology has been released for at least the number of deferral days you specified (offering engagement = release engagement + deferral date). You can suspension characteristic or quality updates for up to 35 days from a given start date that yous specify.

  • To defer or suspension a feature update: Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and characteristic updates are Received
  • Defer or pause a quality update: Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received

Example

In this example, there are three rings for quality updates. The first ring ("airplane pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third band ("slow") has a deferral of 10 days.

illustration of devices divided into three rings.

When the quality update is released, it is offered to devices in the airplane pilot band the next time they scan for updates.

Five days subsequently

The devices in the fast band are offered the quality update the side by side time they scan for updates.

illustration of devices with fast ring deployed.

Ten days subsequently

10 days later the quality update is released, information technology is offered to the devices in the slow ring the adjacent time they scan for updates.

illustration of devices with slow ring deployed.

If no issues occur, all of the devices that scan for updates will be offered the quality update within 10 days of its release, in three waves.

What if a problem occurs with the update?

In this example, some problem is discovered during the deployment of the update to the "pilot" ring.

illustration of devices divided with pilot ring experiencing a problem.

At this point, the Information technology administrator can set a policy to pause the update. In this case, the admin selects the Pause quality updates cheque box.

illustration of rings with pause quality update check box selected.

Now all devices are paused from updating for 35 days. When the pause is removed, they will exist offered the adjacent quality update, which ideally volition not have the same result. If there is however an issue, the IT admin can break updates again.

I desire to stay on a specific version

If you demand a device to stay on a version beyond the point when deferrals on the next version would expire or if you need to skip a version, use the Select the target feature update version setting instead of using the Specify when Preview Builds and feature updates are received setting for feature update deferrals. When you use this policy, specify the version that yous want your devices to utilize. If yous don't update this before the device reaches end of service, the device will automatically be updated one time it is sixty days past finish of service for its edition.

When you ready the target version policy, if you specify a feature update version that is older than your current version or set a value that isn't valid, the device volition not receive any feature updates until the policy is updated. When you specify target version policy, feature update deferrals will not exist in upshot.

Manage how users experience updates

I want to manage when devices download, install, and restart after updates

We recommend that you permit to update automatically--this is the default beliefs. If you don't gear up an automated update policy, the device volition attempt to download, install, and restart at the all-time times for the user past using built-in intelligence such as intelligent active hours and smart busy check.

For more granular control, you lot can set the maximum menstruum of active hours the user tin set with Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify active hours range for machine restart.

It'southward all-time to refrain from setting the active hours policy because it's enabled past default when automated updates are not disabled and provides a improve experience when users tin set their ain active hours. If you lot do want to set active hours, use Reckoner Configuration > Administrative Templates > Windows Components > Windows Update > Turn off car-restart for updates during active hours.

To update outside of the agile hours, you don't need to set whatever boosted settings: simply don't disable automatic restarts. For even more granular control, consider using automatic updates to schedule the install time, day, or week. To exercise this, use Reckoner Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates and select Auto download and schedule the install. You tin can customize this setting to adapt the time that you want the update to exist installed for your devices.

When you set these policies, installation happens automatically at the specified time and the device will restart fifteen minutes later on installation is complete (unless information technology's interrupted by the user).

I want to proceed devices secure and compliant with update deadlines

We recommend that you lot use Figurer Configuration > Administrative Templates > Windows Components > Windows Update > Specify borderline for automatic updates and restarts for characteristic and quality updates to ensure that devices stay secure on Windows ten, version 1709 and later. This works past enabling you to specify the number of days that can expire after an update is offered to a device before it must be installed. Also yous can set the number of days that can expire subsequently a pending restart before the user is forced to restart.

This policies also offers an option to opt out of automatic restarts until a borderline is reached past presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.

These notifications are what the user sees depending on the settings you lot cull:

When Specify deadlines for automatic updates and restarts is set (For Windows ten, version 1709 and subsequently):

  • While restart is pending, before the deadline occurs:

    • For the beginning few days, the user receives a toast notification

    • After this period, the user receives this dialog:

      The notification users get for an impending restart prior to deadline.

    • If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled fourth dimension the user is receives this notification that the restart is virtually to occur:

      The notification users get for an impending restart 15 minutes prior to restart.

  • If the restart is still pending after the deadline passes:

    • Within 12 hours before the deadline passes, the user receives this notification that the deadline is budgeted:

      The notification users get for an approaching restart deadline.

    • Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification:

      The notification users get for an imminent restart after the deadline.

I want to manage the notifications a user sees

There are boosted settings that impact the notifications.

Nosotros recommend that y'all use the default notifications every bit they aim to provide the best user experience while adjusting for the compliance policies that you have gear up. If you do have further needs that are not met past the default notification settings, you lot can use Figurer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications with these values:

0 (default) – Employ the default Windows Update notifications ane – Plow off all notifications, excluding restart warnings 2 – Plough off all notifications, including restart warnings

Note

Option 2 creates a poor feel for personal devices; it's merely recommended for kiosk devices where automatic restarts accept been disabled.

All the same more options are bachelor in Estimator Configuration > Administrative Templates > Windows Components > Windows Update > Configure automobile-restart restart alert notifications schedule for updates. This setting allows yous to specify the period for motorcar-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update and to specify the menses for auto-restart imminent alert notifications (xv-lx minutes is the default). We recommend using the default notifications.

I want to manage the update settings a user can access

Every Windows device provides users with a variety of controls they can use to manage Windows Updates. They tin access these controls by Search to discover Windows Updates or past going selecting Updates and Security in Settings. We provide the ability to disable a diverseness of these controls that are accessible to users.

Users with access to update pause settings tin forbid both feature and quality updates for 7 days. Y'all can preclude users from pausing updates through the Windows Update settings folio by using Estimator Configuration > Authoritative Templates > Windows Components > Windows Update > Remove admission to "Break updates. When you lot disable this setting, users volition come across Some settings are managed by your organization and the update pause settings are greyed out.

If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to apply all Windows Update features.