deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

safety commit

Browse Source
This commit is contained in:
jaimeo 2019-06-06 14:45:52 -07:00
parent ba7fd4ccbd
commit 032127383c
7 changed files with 124 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/deployment/update/images/waas-wufb-3-rings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 81 KiB

BIN
windows/deployment/update/images/waas-wufb-fast-ring.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/deployment/update/images/waas-wufb-pilot-problem.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/deployment/update/images/waas-wufb-policy-pause.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 73 KiB

BIN
windows/deployment/update/images/waas-wufb-slow-ring.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

108
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -6,9 +6,9 @@ description: Windows Update for Business lets you manage when devices received u
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
author: jaimeo
ms.localizationpriority: medium
ms.author: greglin
ms.author: jaimeo
ms.topic: article
---
@ -31,19 +31,19 @@ Windows Update for Business enables IT administrators to keep the Windows 10 dev
Specifically, Windows Update for Business allows for control over update offering and experience to allow for reliability and performance testing on a subset of systems before rolling out updates across the organization as well as a positive update experience for those within your organization.
>[!NOTE] In order to use Windows Update for Business, you must allow access to the Windows Update service.
>[!NOTE]
>See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
> To use Windows Update for Business, you must allow devices to access the Windows Update service.
## Update types managed by Windows Update for Business
## Types of updates managed by Windows Update for Business
Windows Update for Business provides management policies for several types of updates to Windows 10 devices:
- **Feature updates:** previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually in the fall and in the spring.
- **Quality updates:** these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and can configure devices to receive or not receive such updates along with their Windows updates.
- **Driver updates:** these are non-Microsoft drivers that are applicable to your devices. Driver updates can be turned off by using Windows Update for Business policies.
- **Microsoft product updates**: these are updates for other Microsoft products, such as Office. These updates can be enabled or disabled by using Windows Update for Business policy.
Windows Update for Business provides management policies for multiple types of updates to Windows 10 devices:
- **Feature updates:** previously referred to as *upgrades*, feature updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually in the fall and in the spring.
- **Quality updates:** these are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows updates are known as "Microsoft updates" and devices can be configured to receive or not receive such updates along with their Windows updates.
- **Driver updates:** These are non-Microsoft drivers that are applicable to your devices. Driver updates can be turned off via Windows Update for Business policies.
- **Microsoft product updates:** these are updates for other Microsoft products, such as Office. These updates can be enabled or disabled via Windows Update for Business policy.
## Offering
@ -51,89 +51,45 @@ You can control when updates are applied, for example by deferring when an updat
### Manage which updates are offered
Windows Update for Business, offers you the ability to turn on or off both driver and Microsoft product updates.
Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates.
- Drivers (on/off): When "on," this policy will not include drivers with Windows Update.
- Microsoft product updates (on/off): When "on" this policy will install udpates for other Microsoft products.
- Drivers (on/off)
- Microsoft product updates (on/off)
### Manage when updates are offered
You can defer or pause the installation of updates for a set period of time.
#### Defer an update
#### Defer or pause an update
A Windows Update for Business administrator can defer both feature and quality updates from deploying to client devices within a bounded range of time from when those updates are first made available on the Windows Update service. This deferral allows you time to validate deployments as they are pushed to client devices configured for Windows Update for Business. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a feature update deferral period of 365 days, the device will not take a feature update that has been released for less than 365 days).
A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days). To defer feature updates use the **Select when Preview Builds and Feature Updates are Received** policy.
| Category | Maximum deferral |
| --- | ----- |
| Feature updates | 365 days |
| Quality updates | 30 days |
| Non-deferrable | No deferral |
|Category |Maximum deferral |
|---------|---------|
|Feature updates | 365 days |
|Quality updates | 30 days |
|Non-deferrable | none |
#### Pause an update
If you discover a problem while deploying a feature or quality Update, an IT Administrator has the ability to pause the update for **35 days** to prevent other devices from taking the problematic update until the issue is mitigated. If feature updates are paused, quality updates will still be offered to devices to ensure they stay in a secure state. The pause period for both feature and quality updates is calculated from the set start date. For more details, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates).
If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days to prevent other devices from installing it until the issue is mitigated.
#### Select branch readiness level for feature updates
If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.
The branch readiness level enables administrators to specify which channel of feature updates they would like to receive. Today there are branch readiness level options for both pre-release and released updates:
To pause feature updates use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb#pause-feature-updates.md) and [Pause quality updates](waas-configure-wufb#pause-quality-updates.md).
### Select branch readiness level for feature updates
The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates:
- Windows Insider Program for Business pre-release updates
- Windows Insider Fast
- Windows Insider Slow
- Windows Insider Release Preview
- The Semi-Annual Channel, released updates
Prior to Windows 10, version 1903, there are two channels for released updates: Semi-Annual Channel (Targeted) and Semi-Annual Channel. Deferral days are calculated against the release date of the chosen channel (either a releases Semi-Annual Channel (Targeted) release date or the releases Semi-Annual Channel release date). Starting with Windows 10, version 1903 there is only one release channel, the Semi-Annual Channel. All deferral days are calculated against a releases Semi-Annual Channel release date. To see release dates go to the [Windows Release Information Page](https://docs.microsoft.com/windows/release-information/).
## Experience
### Manage end-user update controls
When certain policies such as deferral policies, branch readiness level options, or turning on or off Microsoft product updates are set by an IT Administrator the corresponding settings in the **Update Settings Advanced Options** user interface on a managed end-users device will be greyed out.
Additionally, there is a policy that enables IT Administrators to remove the end-user option to set pauses, by greying it out in the **Update Settings Advanced Options** user interface. When an IT administrator has set policy on a device, there will be an asterisk with red text in the end-users interface stating that some settings are managed by their organization.
### Manage update experience (scan, download, install, restart controls)
#### Scan controls
The "Automatic Updates detection frequency" policy allows you to set the frequency of scans for automatic update detection. This policy allows the admin to specify the hours that Windows will use to determine how long to wait before checking for available updates. If no value is set or the policy is not configured, Windows will check for available updates at the default interval of 22 hours.
#### Download and install controls
##### Metered network control
This policy enables devices to automatically download updates, even over metered data connections (charges may apply).
##### Notification controls
This policy allows administrators to set the display options for update notifications. There are three options: the default operating system Windows Update notifications, disable all notifications excluding restart notifications, and disable all notifications including restart notifications.
We have two policies related to the “Install Updates and Shut Down” option that enable the IT Administrator to either fully remove this option from the Shut Down Windows dialog box or to remove “Install Updates and Shut Down” option as the default selection in the Windows dialog box.
##### Automatic Update notification controls
The "configure automatic updates policy" enables administrators to specify whether devices will receive security updates and other important downloads through the Windows Automatic Updating service. This policy also enables the ability to schedule when installation occurs.
Additionally, there is the ability to specify whether automatic updates should automatically install certain updates that neither interrupt Windows services nor restart windows. There is also the ability to allow non-administrators to receive update notifications based off of the configure automatic updates policy discussed above.
##### Scheduling
As an administrator, you can enable Windows to automatically wake up systems to install scheduled updates.
#### Restart controls
##### Restart controls for if schedule install has been utilized {not sure I understand what this is trying to say?}
The administrator can re-prompt for restart with scheduled installations. Specify the amount of time for Automatic Updates to wait before prompting again with a schedule restart; the default is 10 minutes. Additionally, administrators can delay restart for scheduled installations or specify that to complete a scheduled installation. Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.
##### Auto-restart and deadline for auto-restart
There are a variety of policies that enable control over the restart experience of end users. When these policies are not configured, the user's active hours will be in effect. This enables the IT admin to turn off auto-restart for updates during active hours, set the maximum active hours range for auto-restarts, always automatically restart at the schedule time instead of notifying for two or more days prior, specify deadline before the device tries to auto-restart outside of active hours (this deadline can be set to varying days for feature and quality updates with a default at 7 days), and configure auto-restart reminder notifications or turn them off completely.
##### Engaged restart and deadline for engaged restart
The engaged restart policy allows the administrator to control the timing before transitioning from an auto-restart scheduled outside of active hours to engaged restart, which requires the user to schedule the restart. You can schedule the transition (the time before transitioning from auto to engaged), the snooze (how many days the user can snooze a restart reminder), and deadline (the deadline before a pending restart will automatically be executed outside of active hours).
- Semi-annual Channel for released updates
Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a releases Semi-annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy.

85
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -4,7 +4,7 @@ description: Configure Windows Update for Business settings using Group Policy.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: lomayor
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.topic: article
@ -232,3 +232,86 @@ The following article describes the known challenges that can occur when you man
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
------------------------
o manage updates with Windows Update for Business as described in this topic, you should prepare with these steps, if you haven't already:
- Create Active Directory security groups that align with the deployment rings you use to phase deployment of updates. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
- Allow access to the Windows Update service.
- Download and install ADMX templates appropriate to your Windows 10 version. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759) and [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/).
## Set up Windows Update for Business
In this example, one security group is used to manage updates. Typically we would recommend having at least three rings (early testers for pre-release builds, broad deployment for releases, critical devices for mature releases) to deploy. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) for more information.
Follow these steps on a device running the Remote Server Administration Tools or on a domain controller:
### Configure a ring
1. Start Group Policy Management Console (gpmc.msc).
2. Expand **Forest > Domains > <your domain>**.
3. Right-click <your domain> and select **Create a GPI in this domain and link it here**.
4. In the **New GPO** dialog box, enter *Windows Update for Business - Group 1* as the name of the new Group Policy Object.
5. Right-click the **Windows Update for Business - Group 1" object, and then select **Edit**.
6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You are now ready to start assigning policies to this ring (group) of devices.
## Offering
You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time.
### Manage which updates are offered
Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates.
- Drivers (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates**
- Microsoft product updates (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Get updates for other Microsoft Products**
We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. We also recommend that you leave the "Microsoft product updates" setting on.
### Manage when updates are offered
You can defer or pause the installation of updates for a set period of time.
#### Defer or pause an update
A Windows Update for Business administrator can defer or pause updates and preview builds. You can defer features updates for up to 365 days. You can pause feature or quality updates for up to 35 days from a given start date that you specify.
- Defer or pause a feature update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are Received**
- Defer or pause a quality update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received**
#### Example
In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days.
![illustration of devices divided into three rings](images/waas-wufb-3-rings.png)
When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
##### Five days later
The devices in the fast ring are offered the quality update the next time they scan for updates.
![illustration of devices with fast ring deployed](images/waas-wufb-fast-ring.png)
##### Ten days later
Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
![illustration of devices with slow ring deployed](images/waas-wufb-slow-ring.png)
If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
##### What if a problem occurs with the update?
In this example, some problem is discovered during the deployment of the update to the "pilot" ring.
![illustration of devices divided with pilot ring experiencing a problem](images/waas-wufb-pilot-problem.png)
At this point, the IT administrator can set a policy to pause the update. In this example, the admin selects the **Pause quality updates** check box.
![illustration of rings with pause quality update check box selected](images/waas-wufb-pause.png)
Now all devices are paused from updating for 35 days. When the the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again.