deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 9383: New WUfB onboarding group policies article

Browse Source 
Written by Thomas Trombley.
This commit is contained in:
Liza Poggemeyer 2018-06-27 00:09:20 +00:00
parent 70437eda50
commit 27c9ecbc95
14 changed files with 327 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/deployment/TOC.md
View File

@ -223,6 +223,12 @@
#### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md) #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)
### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) ### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md)
### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) ### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md)
#### [Onboard to Windows Update for Business](update/wufb-onboard.md)
##### [Windows Update for Business basics](update/wufb-basics.md)
##### [Setting up automatic update](update/wufb-autoupdate.md)
##### [Managing feature and quality updates](update/wufb-manageupdate.md)
##### [Enforcing compliance deadlines](update/wufb-compliancedeadlines.md)
##### [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](update/wufb-managedrivers.md)
#### [Configure Windows Update for Business](update/waas-configure-wufb.md) #### [Configure Windows Update for Business](update/waas-configure-wufb.md)
#### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md) #### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md)
#### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md) #### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md)

BIN
windows/deployment/update/images/wufb-feature-engaged-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/deployment/update/images/wufb-feature-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/deployment/update/images/wufb-feature-update-deadline-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/deployment/update/images/wufb-feature-update-engaged-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 172 KiB

BIN
windows/deployment/update/images/wufb-quality-engaged-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/deployment/update/images/wufb-quality-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/deployment/update/images/wufb-wave-deployment.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 105 KiB

34
windows/deployment/update/wufb-autoupdate.md Normal file
View File

@ -0,0 +1,34 @@
---
title: Setting up Automatic Update in Windows Update for Business (Windows 10)
description: Learn how to get started using Windows Update for Business.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: lizap
ms.localizationpriority: medium
ms.author: elizapo
ms.date: 06/20/2018
---
# Set up Automatic Update in Windows Update for Business with group policies
>Applies to: Windows 10
Use the Automatic Update group policies to manage the interaction between Windows Update and clients.
Automatic Update governs the "behind the scenes" download and installation processes. It's important to keep in mind the device limitation in your environment as the download and install process can consume processing power. The below section outlines the ideal configuration for devices with the least amount of user experience degradation.
|Policy|Description |
|-|-|
|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.|
|Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.|
|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or System Center Configuration Manager users who want to install custom packages that are not offered through Windows Update.|
|Do not connect to any Windows Update Internet locations <br>Required for Dual Scan|Prevents access to Windows Update.|
## Suggested configuration
|Policy|Location|Suggested configuration|
|-|-|-|
|Configure Automatic Updates| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates| State: Enabled <br>**Configure Automatic Updating**: 4 Automatic Update and Schedule the Install <br>**Install during maintenance window**: "check box"<br>**Schedule Install day**: 0 Everyday<br>**Schedule Install time**: 11:00 <br>**Install Week**: Every Week <br>**Select checkbox**: Install updates for other Microsoft products |
|Automatic Update Detection Frequency|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Automatic Updates detection frequency|State: Enabled <br>**Check for updates on the following interval (hours)**: 22|
|Do not connect to any Windows Update Internet locations (Required for Dual Scan) | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations |State: Disabled |

26
windows/deployment/update/wufb-basics.md Normal file
View File

@ -0,0 +1,26 @@
---
title: Configure the Basic group policy for Windows Update for Business
description: Learn how to get started using the Basic GPO in Windows Update for Business.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: lizap
ms.localizationpriority: medium
ms.author: elizapo
ms.date: 06/20/2018
---
# Configure the Basic group policy for Windows Update for Business
For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Update Compliance in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding to the Windows Analytics solution.
|Policy name|Description |
|-|-|
|Allow Telemetry|Enables Microsoft to run diagnostics on your device and troubleshoot.|
|Configure Commercial ID|This policy allows you to join the device to an entity.|
## Suggested configuration
|Policy|Location|Suggested configuration|
|-|-|-|
|Allow Telemetry |GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry |State: Enabled <br>**Option**: 1-Basic|
|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled <br>**Commercial ID**: The GUID created for you at the time of onboarding to Windows Analytics|

97
windows/deployment/update/wufb-compliancedeadlines.md Normal file
View File

@ -0,0 +1,97 @@
---
title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10)
description: Learn how to enforce compliance deadlines using Windows Update for Business.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: lizap
ms.localizationpriority: medium
ms.author: elizapo
ms.date: 06/20/2018
---
# Enforcing compliance deadlines for updates
>Applies to: Windows 10
Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce patch compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer revisions. We offer two compliance flows that you can choose from:
- [Deadline only](#deadline-only)
- [Deadline with user engagement](#deadline-with-user-engagement)
## Deadline Only
This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option.
### End User Experience
Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to reboot the device.
>[!NOTE]
>Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update).
### Policy overview
|Policy|Description |
|-|-|
|Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending reboot state. It specifies a deadline, in days, to enforce compliance (such as imminent install).|
|Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled install. The user can dismiss a reminder, but not the warning.|
### Suggested Configuration
|Policy|Location|3 Day Compliance|5 Day Compliance|7 Day Compliance |
|-|-|-|-|-|
|Specify deadline before auto-restart for update installation| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation |State: Enabled <br>**Specify the number of days before pending restart will automatically be executed outside of active hours**: 2|State: Enabled <br>**Specify the number of days before pending restart will automatically be executed outside of active hours**: 3|State: Enabled <br>**Specify the number of days before pending restart will automatically be executed outside of active hours**: 4
### Controlling notification experience for deadline
|Policy| Location|Suggested Configuration |
|-|-|-|
|Configure Auto-restart warning notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart warning notifications schedule for updates |State: Enabled <br>**Reminder** (hours): 2<br>**Warning** (minutes): 60 |
### Notification experience for deadline
Notification users get for a quality update deadline:
![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png)
Notification users get for a feature update deadline:
![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png)
## Deadline with user engagement
This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active.
### End user experience
Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time.
### Policy overview
|Policy| Description |
|-|-|
|Specify engaged restart transition and notification schedule for updates|Governs how the user will be impacted by the pending reboot. Transition days, first starts out in Auto-Restart where the device will find an idle moment to reboot the device. After 2 days engaged restart will commence and the user will be able to choose a time|
|Configure Auto-restart required notification for updates|Governs the notifications during the Auto-Restart period. During Active hours, the user will be notified that the device is trying to reboot. They will have the option to confirm or dismiss the notification|
### Suggested configuration
|Policy| Location| 3 Day Compliance| 5 Day Compliance| 7 Day Compliance |
|-|-|-|-|-|
|Specify engaged restart transition and notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates|State: Enabled<br>**Transition** (Days): 2<br>**Snooze** (Days): 2<br>**Deadline** (Days): 3|State: Enabled<br>**Transition** (Days): 2<br>**Snooze** (Days): 2<br>**Deadline** (Days): 4|State: Enabled<br>**Transition** (Days): 2<br>**Snooze** (Days): 2<br>**Deadline** (Days): 5|
### Controlling notification experience for engaged deadline
|Policy| Location |Suggested Configuration
|-|-|-|
|Configure Auto-restart required notification for updates |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Auto-restart required notification for updates|State: Enabled <br>**Method**: 2- User|
### Notification experience for engaged deadlines
Notification users get for quality update engaged deadline:
![The notification users get for an impending engaged quality update deadline](images/wufb-quality-engaged-notification.png)
Notification users get for a quality update deadline:
![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png)
Notification users get for a feature update engaged deadline:
![The notification users get for an impending feature update engaged deadline](images/wufb-feature-update-engaged-notification.png)
Notification users get for a feature update deadline:
![The notification users get for an impending feature update deadline](images/wufb-feature-update-deadline-notification.png)

65
windows/deployment/update/wufb-managedrivers.md Normal file
View File

@ -0,0 +1,65 @@
---
title: Managing drivers, dual-managed environments, and Delivery Optimization with group policies in Windows Update for Business
description: Learn how to manage drivers, dual managed environments, and bandwidth (Delivery Optimization) with GPOs in Windows Update for Business.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: lizap
ms.localizationpriority: medium
ms.author: elizapo
ms.date: 06/21/2018
---
# Managing drivers, dual-managed environments, and Delivery Optimization with group policies
>Applies to: Windows 10
Use the following group policy information to manage drivers, to manage environments using both Windows Update for Business and Windows Server Update Services, and to manage the bandwidth required for updates with Delivery Optimization.
## Managing drivers
Windows Update for Business provides the ability to manage drivers from the Windows Update service. By default, drivers will be offered to your Windows Update-connected devices. Our guidance here is to continue to receive drivers from Windows Update. Alternatively, you can enable the following policy to stop receiving drivers from Windows Update.
### Policy overview
|Policy| Description |
|-|-|
|Do not include drivers with Windows Update |When enabled prevents Windows Update from offering drivers.|
### Suggested configuration
|Policy| Location|Suggested configuration |
|-|-|-|
|Do not include drivers with Windows Update |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates|State: Disabled |
## Dual-managed environment
You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and use Windows Update to deploy feature and quality updates. We provide capabilities to deploy content from both Windows Update Service and from WSUS. In addition to the policies for managing drivers, apply the following configurations to your environment.
|Policy| Description |
|-|-|
|Specify Intranet Microsoft Update Service Location| Used for WSUS/System Center Configuration Manager customers who want to install custom packages that are not offered through Windows Update.|
### Suggested configuration
|Policy| Location|Suggested configuration |
|-|-|-|
|Specify Intranet Microsoft Update Service Location|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Intranet Microsoft update service location|State: Enabled <br>**Set the Intranet Update service for detecting updates**: <br>**Set the Intranet statistics server**: <br>**Set the alternate download server**: |
## Download Optimization - Managing your bandwidth
[Delivery Optimization](waas-delivery-optimization.md) is Windows 10's built-in downloader and peer-caching technology that can benefit CSE for network bandwidth reduction of Windows 10 servicing updates. Windows 10 clients can source content from other devices on their local network that have already downloaded the same updates in addition to downloading these updates from Microsoft. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. To configure devices for delivery optimization, ensure the following configurations are set.
|Policy| Description |
|-|-|
|Download Mode| 2=HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2|
|Minimum Peer Caching Content File Size (in MB)|Specifies the minimum content file size in MB enabled to use peer caching. <br>Choose a size that meets your environment's constraints.|
|Allow uploads while the device is on battery while under set battery level (percentage)|Specify a battery level from 1-100, where the device will pause uploads once the battery level drops below that percentage. |
|Max Cache Age (in seconds)|Maximum number of seconds to keep data in cache.|
### Suggested configuration
|Policy| Location| Suggested configuration |
|-|-|-|
|Download Mode|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Download Mode|State: Enabled <br>**Download Mode**: Group (2)|
|Minimum Peer Caching Content File Size (in MB)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Minimum Peer Caching Content File Size (in MB)|State: Enabled <br>**Minimum Peer caching content file size (in MB)**: 10 MB|
|Allow uploads while the device is on battery while under set battery level (percentage)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Allow uploads while the device is on battery while under set battery level (percentage)|State: Enabled <br>**Minimum battery level (Percentage)**: 60|
|Max Cache Age (in seconds)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Max Cache Age (in seconds)|State: Enabled <br>**Max Cache Age (in seconds)**: 604800 ~ 7 days|

54
windows/deployment/update/wufb-manageupdate.md Normal file
View File

@ -0,0 +1,54 @@
---
title: Managing feature and quality updates with policies in Windows Update for Business (Windows 10)
description: Learn how to get started using Windows Update for Business.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: lizap
ms.localizationpriority: medium
ms.author: elizapo
ms.date: 06/20/2018
---
# Manage feature and quality updates with group policies
>Applies to: Windows 10
Windows Update for Business allows users to control when devices should receive a feature or quality update from Windows Update. Depending on the size of your organization you may want to do a wave deployment of updates. The first step in this process is to determine which Branch Readiness Level you want your organization on. For more information on which level is right for your organization review [Overview of Windows as a service](waas-overview.md).
The following policies let you configure when you want a device to see a feature and or quality update from Windows Update.
## Policy overview
|Policy name| Description |
|-|-|
|Select when Quality Updates are received|Configures when the device should receive quality update. In this policy you can also select a date to pause receiving Quality Updates until. |
|Select when Preview Builds & feature Updates are received|Configures when the device should receive a feature update. You can also configure your branch readiness level. This policy also provides the ability to "pause" updates until a certain point. |
|Do not allow update deferral policies to cause scans against Windows Update|When enabled will not allow the deferral policies to cause scans against Windows Update.|
## Suggested configuration for a non-wave deployment
If you don't need a wave deployment and have a small set of devices to manage, we recommend the following configuration:
|Policy| Location|Suggested configuration |
|-|-|-|
|Select when Quality Updates are received | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled <br>**Defer receiving it for this many days**: 0<br>**Pause Quality Updates**: Blank <br>*Note: use this functionality to prevent the device from receiving a quality update until the time passes|
|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled <br>**Select Windows Readiness Level**: SAC<br>**Defer receiving for this many days**: 0-365<br>**Pause Feature Updates**: Blank <br>*Note: use this functionality to prevent the device from receiving a feature update until the time passes|
|Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled|
## Suggested configuration for a wave deployment
![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png)
## Early validation and testing
Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings).
|Policy|Location|Suggested configuration |
|-|-|-|
|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled <br>**Select Windows Readiness Level**: WIP Fast or WIP slow<br>**Defer receiving for this many days**: 0<br>**Pause Feature Updates**: Blank *Note: use this functionality to prevent the device from receiving a feature update until the time passes.|
|Select when Quality Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled <br>**Defer receiving it for this many days**: 0 <br>**Pause Quality Updates**: Blank <br>*Note: use this functionality to prevent the device from receiving a quality update until the time passes|
## Wave deployment for feature updates
If you want to deploy feature updates in waves we suggest using the following configuration. For the deferral days we recommend staging them out in 1-month increments. Manage your risk by placing critical devices later in the wave (deferrals > 30 or 60 days) while placing your low risk devices earlier in the wave (deferrals < 30 days). Using deferrals days is a great method to manage your wave deployment. Using this in combination with our suggested early validation will help you prepare your environment for the latest updates from Windows.
|Policy|Location|Suggested configuration |
|-|-|-|
|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled <br>**Select Windows Readiness Level**: SAC<br>**Defer receiving for this many days**: 0, 30, 60, 90, 120 <br>**Pause Feature Updates**: Blank <br>*Note: use this functionality to prevent the device from receiving a feature update until the time passes

45
windows/deployment/update/wufb-onboard.md Normal file
View File

@ -0,0 +1,45 @@
---
title: Onboarding to Windows Update for Business (Windows 10)
description: Learn how to get started using Windows Update for Business.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: lizap
ms.localizationpriority: medium
ms.author: elizapo
ms.date: 06/20/2018
---
# Onboarding to Windows Update for Business in Windows 10
>Applies to: Windows 10
Windows Update for Business is a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service (WU). Windows Update for Business can control the following:
- Interaction between the client and Windows Update service (AU Options)
- End user notification for pending updates
- Compliance deadlines for feature or quality updates
- Configure wave deployment for feature or quality updates bandwidth optimization (DO)
We also provide additional functionality to manage your environment when risk or issues arise such as a LOB application being blocked:
- Uninstall latest feature or quality update
- Pause for a duration of time
Use the following information to set up your environment using Windows Update for Business policies:
- [Supported SKUs](#supported_skus)
- [Windows Update for Business basics](wufb-basics.md)
- [Setting up automatic update](wufb-autoupdate.md)
- [Managing feature and quality updates](wufb-manageupdate.md)
- [Enforcing compliance deadlines](wufb-compliancedeadlines.md)
- [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](wufb-managedrivers.md)
## Supported SKUs
Windows Update for Business is supported on the following versions of Windows 10:
- Windows 10 Education
- Windows 10 Enterprise
- Windows 10 Pro
- Windows 10 S (for Windows 10, version 1709 and earlier)