This much-needed feature, which arrived in November's Windows 10 version 1511 upgrade, allows IT pros to set update policies for an organization. Using settings not available on consumer Windows editions, they can defer and delay updates and upgrades until they've been proven safe and reliable.
With the help of Windows Update for Business (a layer of configuration options that controls the free Windows Update service), a network manager can organize Windows 10 devices into "rings." These devices use the same Windows Update infrastructure that the rest of the world uses. The difference is that each ring can delay receiving Patch Tuesday updates for up to four weeks and defer major version upgrades by up to eight months.
It's all done using new Windows Group Policy settings, which can be enforced using Active Directory to ensure that every machine on the domain is updated. The good news is that you can use those same settings on your own unmanaged PC, with no domain required.
Windows Update for Business requires a PC or device that supports Group Policy, which means you need Windows 10 Pro, Enterprise, or Education. The device also needs to be configured for the Current Branch for Business. Neither option is available for PCs running Windows 10 Home, where all updates are automatic.
Because these settings are so new, it's literally impossible for outsiders to test them, so all we can go on is the documentation at TechNet, which is only a few days old.
(And a side note: Most of the articles I've seen on this topic so far have been based on an abbreviated how-to post by a Microsoft field engineer. You really should RTFM for anything this important.)
Read the Windows Update for Business technical overview first.
Next, dive into the Setup and deployment instructions.
Finally, review the section on Integration with management solutions to confirm whether any of its content applies to your device. In particular, any system that receives updates from Windows Server Update Services (WSUS) will ignore the Windows Update for Business settings.
To manually configure the system for the Current Branch for Business, open Settings, then Updates & Security, and then Advanced Options. Click the Defer Upgrades check box.
That box enables the more granular settings. (In an enterprise deployment, you're more likely to do this with Group Policy or with Mobile Device Management software.)
Next, open the Local Group Policy Editor, gpedit.msc. (If that instruction is confusing, you should stop right now. Seriously.)
Navigate through the Local Computer Policy tree in the left pane: Computer Configuration, Administrative Templates, Windows Components. Scroll through the Windows Components list until you get to Windows Update.
In the list of policy settings on the right, look for Defer Upgrades and Updates, as shown here.
Double-click that item to open a dialog box where you can define policies for the current PC. I've added numbers to explain the four options available here.
1. For your update and upgrade schedules to be honored, you have to change this policy setting to Enabled. Set it to Disabled (or back to Not Configured) to restore default Windows 10 update settings.
2. The Current Branch for Business can be several months behind the Current Branch, which is released to consumers and small businesses via Windows Update. (Sometimes, as with version 1511, the releases are simultaneous.) You can delay the upgrade by up to eight months, in increments of one month, using the option here.
3. The Updates category includes security updates, drivers, and non-security updates that are rated Critical. Using Group Policy you can defer the installation of updates up to four weeks, in one-week increments, from the time when those updates are first made available on Windows Update.
So, for example, you might decide that you'll set the delay to one or two weeks and then watch carefully for the week after Patch Tuesday. If there are no problems, your updates install after the general public has tested them for you. Setting the "Delay updates" value to four weeks effectively puts you a month behind the general population.
4. If you want to avoid installing updates beyond your delayed installation date, you can open the Local Group Policy Editor and click the check box to Pause upgrades and updates. That effectively blocks all updates or upgrades; the machine will remain paused until you specifically clear the Pause check box (or reverse the associated policy). You can't delay forever, though; after 35 days, updates resume automatically installing.
Note that definition updates for Microsoft's security programs cannot be deferred. (If you install a non-Microsoft security program, its update controls take over and Microsoft's definitions are not downloaded.)
Ironically, one option available only in Enterprise and Education editions causes these settings to be completely ignored. If Allow Telemetry is set to 0 (that is, set to the lowest possible level), then Windows Update for Business settings (Defer upgrades, Defer updates, and Pause Updates and Upgrades) have no effect
No comments:
Post a Comment