How to use Windows Update for Business with Group Policy

3 approaches to manage Windows updates

Microsoft's infrastructure for providing updates is effective, but control on the client end can be a bit thin. Administrators have three primary methods to manage Windows updates.

Per-client updates. This is the standard update configuration for standalone devices or unmanaged enterprise clients. This approach offers no real control or configuration. However, it also requires very little administrative effort.

Windows Server Update Services. WSUS has been the enterprise standard for centralized update management in business environments since the release of WSUS 2.0 in 2005. It offers extensive control of updates, including approving, blocking and staging deployments. However, WSUS requires significantly more administrative effort. It does have the advantage of a single download process to save bandwidth, and controlling downstream update servers at branch offices is also handy.

Windows Update for Business. WUfB combines the two approaches into a cloud-based approach. Each client device maintains a direct connection to Microsoft for downloading updates. However, administrators retain greater control over updates using standard configuration management tools like Group Policy, Mobile Device Management (MDM) or another Configuration Service Provider.

There are third-party tools for managing Windows updates, but keeping tool sets within the Microsoft ecosystem has many compatibility, licensing and simplicity advantages.

Windows Updates for Business features and benefits

Windows Update for Business offers simplified update management using familiar configuration service providers. It enables a cloud-integrated update approach that offers various advantages over the older WSUS model, such as the following:

• Policy-based update management for Windows and Microsoft applications.
• Granular control of update deployments.
• Avoids the use, configuration and management of an on-premises WSUS server.
• Ensures devices are current.

Note that this approach reverses the advertised advantages of WSUS upon its release. WSUS was said to reduce bandwidth use by using a single download action between the WSUS server and Microsoft. Then it enabled clients to pull updates across the LAN rather than initiating multiple internet downloads. Microsoft now emphasizes reducing administrative effort by reducing the reliance on dedicated WSUS servers for client devices. Group Policy will instruct these systems to download updates from Microsoft directly without maintaining a WSUS server for clients.

Windows Updates for Business prerequisites

Begin by ensuring the environment contains the supported clients. This shouldn't be a problem for most enterprise networks, but it's best to confirm everything ahead of time.

Operating system requirements:

• Windows 10/11 Pro, Enterprise or Team editions.

Device enrollment requirements:

• Devices must be Azure AD-joined or Hybrid Azure AD-joined.
• Enrolled in Intune MDM, if applicable.

Licensing requirements:

• Microsoft 365 Business Premium.
• Microsoft Enterprise Mobility + Security (EMS).
• Intune.

In addition, client devices need network and internet access to receive policies and download updates. Administrators will need the appropriate administrative privileges to configure Group Policy or manage Intune. Finally, configure clients with Log Analytics and connect them to Azure Monitor for detailed reports from Azure and on-premises systems. Azure Monitor is a critical data collection and analysis tool for managing all aspects of a Microsoft ecosystem.

Microsoft intends WUfB for client management. Windows Server editions are not supported, so plan to manage updates for those platforms using other mechanisms, such as the following:

• Windows Server Update Services.
• Azure Automation Update Management.
• Group Policy update management settings.

Group Policy templates for Windows Updates for Business

Administrators can defer feature updates for the OS for up to 365 days. Quality updates -- focusing on security patches -- might be deferred up to 30 days.

Most administrators will probably manage Windows updates using Group Policy. Group Policy is a straightforward and reliable way to manage Windows configurations. Make sure to download and install the latest Group Policy Administrative Templates for Windows 11 and 10). Most Active Directory environments use a shared Central Store for these templates, so place them in that location -- \\<domain>\sysvol\<domain>\policies\PolicyDefinitions.

Grouping systems into servicing rings allows IT to control update deployments. Common servicing ring choices include the following:

• Testing ring. Immediate update deployment for testing.
• Pilot ring. Delayed update deployment for real-world testing.
• Rollout ring. Approved update deployment for all devices.

Each ring has independent policies and schedules for phased rollouts.

IT can create rings using the Intune administrative center. Browse to the Update rings option under Devices, and then select Create a profile. Customize the settings, such as deferral periods, and assign device groups.

Configure Windows Updates for Business settings

With the most current Group Policy settings in place using the Administrative Templates, it's time to begin configuring client devices. Decide whether you will use a single Group Policy Object (GPO) for all clients in the domain or more department-specific GPOs for various Organizational Units (OUs). It's typically a good idea to create GPOs that represent the deployment or servicing rings you need, such as Test, Pilot and Rollout. Link these GPOs to the appropriate OUs to manage the deployment schedule.

Begin by creating a new GPO. Link this GPO to the appropriate domain or OU object to apply the settings.

1. Open the Group Policy Management Console.
2. Right-click the Group Policies node and create a new Group Policy Object that can manage updates for the domain or OU (Figure 1).

3. Navigate to the Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business node (Figure 2).

4. Configure all policies. For example, "Select when Preview Builds and Feature Updates are received," and "Select when Quality Updates are received" (Figure 3).

Administrators can defer feature updates for the OS for up to 365 days. Quality updates -- focusing on security patches -- might be deferred up to 30 days. Admins can pause updates or modify deferment options at any point. IT might also control restart policies and define active hours for updates.

Ensure that the Group Policy Object is linked to the appropriate domain or OU. Don't forget to wait for the client devices to apply the policies. Verify the settings using the gpresult command. Use the gpupdate /force command to manually apply policy updates.

IT can also manage updates using Microsoft Intune MDM. This approach provides more effective management of Windows-based mobile devices.

Remember, Active Directory Group Policy cannot manage updates for non-domain-joined devices. It also does not effectively manage non-Windows devices that might still be running Microsoft applications. IT departments need to find a different approach to managing these systems.

Manage Windows Updates for Business reporting

Administrators can access the WUfB reports to check the status of updates. Use these reports to troubleshoot devices that do not receive the expected updates. These reports might be crucial for security audits and incident response, so be sure to configure them ahead of time when using the Azure Portal. Azure takes up to 24 hours to generate the initial reports.

Access the reports using the Azure Portal, then browse to Windows Update for Business Log Analytics workspace for compliance and update details.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.