deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 05:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #387 from MicrosoftDocs/WUfB1903

Browse Source 
W uf b1903
This commit is contained in:
jaimeo 2019-06-07 14:59:16 -07:00 committed by GitHub
commit a7814a1802
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 120 additions and 366 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/deployment/update/images/waas-wufb-3-rings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 81 KiB

BIN
windows/deployment/update/images/waas-wufb-fast-ring.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/deployment/update/images/waas-wufb-pause.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 73 KiB

BIN
windows/deployment/update/images/waas-wufb-pilot-problem.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/deployment/update/images/waas-wufb-policy-pause.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 73 KiB

BIN
windows/deployment/update/images/waas-wufb-slow-ring.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

146
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -6,9 +6,9 @@ description: Windows Update for Business lets you manage when devices received u
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
author: jaimeo
ms.localizationpriority: medium
ms.author: greglin
ms.author: jaimeo
ms.topic: article
---
@ -18,111 +18,89 @@ ms.topic: article
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows Server 2016
- Windows Server 2019
Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro for Workstation, and Education editions.
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined devices. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices.
Specifically, Windows Update for Business allows for:
- The creation of deployment rings, where administrators can specify which devices go first in an update wave, and which ones will come later (to allow for reliability and performance testing on a subset of systems before rolling out updates across the organization).
- Selectively including or excluding drivers as part of Microsoft-provided updates
- Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune.
- Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.
- Control over diagnostic data level to provide reporting and insights in Windows Analytics.
Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education editions.
Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated.
Specifically, Windows Update for Business allows for control over update offering and experience to allow for reliability and performance testing on a subset of systems before rolling out updates across the organization as well as a positive update experience for those within your organization.
>[!NOTE]
>See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
> To use Windows Update for Business, you must allow devices to access the Windows Update service.
## Update types
## Types of updates managed by Windows Update for Business
Windows Update for Business provides three types of updates to Windows 10 devices:
Windows Update for Business provides management policies for several types of updates to Windows 10 devices:
- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually.
- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
- **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
- **Feature updates:** previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually in the fall and in the spring.
- **Quality updates:** these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and can configure devices to receive or not receive such updates along with their Windows updates.
- **Driver updates:** these are non-Microsoft drivers that are applicable to your devices. Driver updates can be turned off by using Windows Update for Business policies.
- **Microsoft product updates**: these are updates for other Microsoft products, such as Office. These updates can be enabled or disabled by using Windows Update for Business policy.
## Offering
You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time.
### Manage which updates are offered
Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates.
- Drivers (on/off): When "on," this policy will not include drivers with Windows Update.
- Microsoft product updates (on/off): When "on" this policy will install udpates for other Microsoft products.
### Manage when updates are offered
You can defer or pause the installation of updates for a set period of time.
#### Defer or pause an update
A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days). To defer feature updates use the **Select when Preview Builds and Feature Updates are Received** policy.
|Category |Maximum deferral |
|---------|---------|
|Feature updates | 365 days |
|Quality updates | 30 days |
|Non-deferrable | none |
#### Pause an update
If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days to prevent other devices from installing it until the issue is mitigated.
If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.
To pause feature updates use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates).
#### Select branch readiness level for feature updates
The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates:
- Windows Insider Program for Business pre-release updates
- Windows Insider Fast
- Windows Insider Slow
- Windows Insider Release Preview
- Semi-annual Channel for released updates
Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a deferral period of 365 days, the update will not be offered until 365 days after that update was released).
| Category | Maximum deferral | Deferral increments | Example | WSUS classification GUID |
| --- | --- | --- | --- | --- |
| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days.</br>From Windows 10, version 1703 to version 1809, the maximum is 365 days. | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
| Quality Updates | 30 days | Days | Security updates</br>Drivers (optional)</br>Non-security updates</br>Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441</br></br>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</br></br>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</br></br>varies |
| Non-deferrable | No deferral | No deferral | Definition updates | E0789628-CE08-4437-BE74-2495B842F43B |
>[!NOTE]
>For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/library/ff357803.aspx).
## Windows Update for Business in various Windows 10 versions
Windows Update for Business was first available in Windows 10, version 1511. This diagram lists new or changed capabilities and updated behavior in subsequent versions.
| Windows 10, version 1511 | 1607 | 1703 | 1709 | 1803 | 1809 |
| --- | --- | --- | --- | --- | --- |
| Defer quality updates</br>Defer feature updates</br>Pause updates | All 1511 features, plus: **WSUS integration** | All 1607 features, plus **Settings controls** | All 1703 features, plus **Ability to set slow vs. fast Insider Preview branch** | All 1709 features, plus **Uninstall updates remotely** | All 1803 features, plus **Option to use default automatic updates**</br>**Ability to set separate deadlines for feature vs. quality updates**</br>**Admins can prevent users from pausing updates**
## Managing Windows Update for Business with Group Policy
The group policy path for Windows Update for Business has changed to correctly reflect its association to Windows Update for Business and provide the ability to easily manage pre-release Windows Insider Preview builds in Windows 10, version 1709.
| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 |
| --- | --- | --- |
| Set Windows Update for Business Policies | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Update | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business |
| Manage Windows Insider Preview builds | Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds | Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business - *Manage preview builds* |
| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received </br> (Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business - **Select when Preview Builds and Feature Updates are received**) |
## Managing Windows Update for Business with MDM
Starting with Windows 10, version 1709, the Windows Update for Business settings in MDM were changed to correctly reflect the associations with Windows Update for Business and provide the ability to easily manage Windows Insider Preview builds in 1709.
| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 |
| --- | --- | --- |
| Manage Windows Insider Preview builds | System/AllowBuildPreview | Update/ManagePreviewBuilds |
| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received (Update/BranchReadinessLevel) |
## Managing Windows Update for Business with System Center Configuration Manager
Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within System Center Configuration Manager.
| Action | Windows 10 versions between 1709 and 1809 | Windows 10 versions after 1809 |
| --- | --- | --- |
| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within System Center Configuration Manager |
## Managing Windows Update for Business with Windows Settings options
Windows Settings includes options to control certain Windows Update for Business features:
- [Configure the readiness level](waas-configure-wufb.md#configure-devices-for-the-appropriate-service-channel) for a branch by using **Settings > Update & security > Windows Update > Advanced options**
- [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) by using Settings > Update & security > Window Update > Advanced options
## Other changes in Windows Update for Business in Windows 10, version 1703 and later releases
### Pause and deferral periods
The maximum pause time period is 35 days for both quality and feature updates. The maximum deferral period for feature updates is 365 days.
Also, the pause period is calculated from the set start date. For more details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). As a result, certain policy keys have different names; see the "Comparing keys in Windows 10, version 1607 to Windows 10, version 1703" section in [Configure Windows Update for Business](waas-configure-wufb.md) for details.
Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a releases Semi-annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy.
## Monitor Windows Updates by using Update Compliance
Update Compliance provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.
Update Compliance provides a holistic view of operating system update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.
![Update Compliance Dashboard](images/waas-wufb-update-compliance.png)
For more information about Update Compliance, see [Monitor Windows Updates using Update Compliance](update-compliance-monitor.md).
## Manage Windows Update for Business with Intune
Microsoft Intune provides the ability to configure Windows Update for Business settings on devices. Intune doesnt store the updates, but only the update policy assignment. For more information, see [Manage software updates](https://docs.microsoft.com/intune/windows-update-for-business-configure).
## Steps to manage updates for Windows 10

340
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -1,5 +1,5 @@
---
title: Walkthrough use Group Policy to configure Windows Update for Business (Windows 10)
title: Walkthrough use Group Policy to configure Windows Update for Business - Windows 10
description: Configure Windows Update for Business settings using Group Policy.
ms.prod: w10
ms.mktglfcycl: manage
@ -22,337 +22,108 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
>[!IMPORTANT]
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
>
>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
Using Group Policy to manage Windows Update for Business is simple and familiar: use the same Group Policy Management Console (GPMC) you use to manage other device and user policy settings in your environment. Before configuring the Windows Update for Business Group Policy settings, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch.
> [!NOTES]
> The terms *feature updates* and *quality updates* in Windows 10, version 1607, correspond to the terms *upgrades* and *updates* in version 1511.
>
> To follow the instructions in this article, you will need to download and install the relevant ADMX templates for your Windows 10 version.
> See the following articles for instructions on the ADMX templates in your environment.
>
> - [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759)
> - [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/)
To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades.
## Configure Windows Update for Business in Windows 10 version 1511
In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as theyre released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices.
- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release.
>[!NOTE]
>Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only.
>
>Windows 10 version 1511 does not support deferment of CB builds of Windows 10, so you can establish only one CB deployment ring. In version 1607 and later, CB builds can be delayed, making it possible to have multiple CB deployment rings.
Complete the following steps on a PC running the Remote Server Administration Tools or on a domain controller.
### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral
1. Open GPMC (gpmc.msc).
2. Expand **Forest** > **Domains** > *your domain*.
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
![UI for Create GPO menu](images/waas-wufb-gp-create.png)
4. In the **New GPO** dialog box, type **Windows Update for Business - CBB1** for the name of the new GPO.
>[!NOTE]
>In this example, youre linking the GPO to the top-level domain. This is not a requirement: you can link the Windows Update for Business GPOs to any organizational unit (OU) thats appropriate for your Active Directory Domain Services (AD DS) structure.
5. Right-click the **Windows Update for Business - CBB1** GPO, and then click **Edit**.
![UI for Edit GPO](images/waas-wufb-gp-edit.png)
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**.
7. Right-click **Defer Upgrades and Updates**, and then click **Edit**.
## Overview
![UI to edit Defer Upgrades and Updates](images/waas-wufb-gp-edit-defer.png)
In the **Defer Upgrades and Updates** Group Policy setting configuration, you see several options:
- **Enable/Disable Deferred Updates**. Enabling this policy setting sets the receiving client to the CBB servicing branch. Specifically disabling this policy forces the client into the CB servicing branch, making it impossible for users to change it.
- **Defer upgrades for the following**. This option allows you to delay feature updates up to 8 months, a number added to the default CBB delay (approximately 4 months from CB). By using Windows Update for Business, you can use this option to stagger CBB feature updates, making the total offset up to 12 months from CB.
- **Defer updates for the following**. This option allows you to delay the installation of quality updates on a Windows 10 device for up to 4 weeks, allowing for phased rollouts of updates in your enterprise, but not all quality updates are deferrable with this option. Table 1 shows the deferment capabilities by update type.
- **Pause Upgrades and Updates**. Should an issue arise with a feature update, this option allows a one-time skip of the current months quality and feature update. Quality updates will resume after 35 days, and feature updates will resume after 60 days. For example, deploy this setting as a stand-alone policy to the entire organization in an emergency.
Table 1 summarizes the category of update in Windows 10 and how long Windows Update for Business can defer its installation.
**Table 1**
<table>
<tr>
<th>Category</th>
<th>Maximum deferral</th>
<th>Deferral increments</th>
<th>Classification type</th>
<th>Classification GUID</th>
</tr>
<tr>
<td>OS upgrades</td>
<td>8 months</td>
<td>1 month</td>
<td>Upgrade</td>
<td>3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</td>
</tr>
<tr>
<td rowspan="3">OS updates</td>
<td rowspan="3">4 weeks</td>
<td rowspan="3">1 week</td>
<td>Security updates</td>
<td>0FA1201D-4330-4FA8-8AE9-B877473B6441</td>
</tr>
<tr>
<td>Drivers</td>
<td>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</td>
</tr>
<tr>
<td>Updates</td>
<td>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</td>
</tr>
<tr>
<td>Other/non-deferrable</td>
<td>No deferral</td>
<td>No deferral</td>
<td>Definition updates</td>
<td>E0789628-CE08-4437-BE74-2495B842F43B</td>
</tr>
</table>
You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See
Simply enabling the **Defer Upgrades and Updates** policy sets the receiving client to the CBB servicing branch, which is what you want for your first deployment ring, **Ring 4 Broad business users**.
8. Enable the **Defer Updates and Upgrades** setting, and then click **OK**.
An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path **Computer configuration > Administrative Templates > Windows Components > Windows Update**.
9. Close the Group Policy Management Editor.
To manage updates with Windows Update for Business as described in this topic, you should prepare with these steps, if you haven't already:
Because the **Windows Update for Business - CBB1** GPO contains a computer policy and you only want to apply it to computers in the **Ring 4 Broad business users** group, use **Security Filtering** to scope the policys effect.
- Create Active Directory security groups that align with the deployment rings you use to phase deployment of updates. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
- Allow access to the Windows Update service.
- Download and install ADMX templates appropriate to your Windows 10 version. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759) and [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/).
### Scope the policy to the Ring 4 Broad business users group
1. In the GPMC, select the **Windows Update for Business - CBB1** policy.
## Set up Windows Update for Business
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 4 Broad business users** group.
In this example, one security group is used to manage updates. Typically we would recommend having at least three rings (early testers for pre-release builds, broad deployment for releases, critical devices for mature releases) to deploy. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) for more information.
![Scope policy to group](images/waas-wufb-gp-scope.png)
Follow these steps on a device running the Remote Server Administration Tools or on a domain controller:
The **Ring 4 Broad business users** deployment ring has now been configured. Next, configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 2-week delay for feature updates.
### Set up a ring
1. Start Group Policy Management Console (gpmc.msc).
2. Expand **Forest > Domains > *\<your domain\>*.
3. Right-click *\<your domain>* and select **Create a GPO in this domain and link it here**.
4. In the **New GPO** dialog box, enter *Windows Update for Business - Group 1* as the name of the new Group Policy Object.
5. Right-click the **Windows Update for Business - Group 1" object, and then select **Edit**.
6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You are now ready to start assigning policies to this ring (group) of devices.
### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals
## Offering
1. Open GPMC (gpmc.msc).
You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time.
2. Expand **Forest** > **Domains** > *your domain*.
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
![UI for Create GPO menu](images/waas-wufb-gp-create.png)
4. In the **New GPO** dialog box, type **Windows Update for Business - CBB2** for the name of the new GPO.
5. Right-click the **Windows Update for Business - CBB2** GPO, and then click **Edit**.
![UI for Edit GPO](images/waas-wufb-gp-edit.png)
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**.
7. Right-click **Defer Upgrades and Updates**, and then click **Edit**.
8. Enable the **Defer Updates and Upgrades** setting, configure the **Defer upgrades for the following** option for 1 month, and then configure the **Defer updates for the following** option for 1 week.
![Example of policy settings](images/waas-wufb-gp-broad.png)
9. Click **OK** and close the Group Policy Management Editor.
### Scope the policy to the Ring 5 Broad business users \#2 group
1. In the GPMC, select the **Windows Update for Business - CBB2** policy.
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 5 Broad business users \#2** group.
### Manage which updates are offered
## Configure Windows Update for Business in Windows 10 version 1607
Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates.
To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades.
- Drivers (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates**
- Microsoft product updates (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Get updates for other Microsoft Products**
In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates:
We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. We also recommend that you leave the "Microsoft product updates" setting on.
- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 4 weeks after they are released.
- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch.
- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days.
### Manage when updates are offered
You can defer or pause the installation of updates for a set period of time.
In this example, you configure and scope the update schedules for all three groups.
#### Defer or pause an update
### Configure Ring 2 Pilot Business Users policy
A Windows Update for Business administrator can defer or pause updates and preview builds. You can defer features updates for up to 365 days. You can pause feature or quality updates for up to 35 days from a given start date that you specify.
1. Open GPMC (gpmc.msc).
- Defer or pause a feature update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are Received**
- Defer or pause a quality update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received**
2. Expand **Forest** > **Domains** > *your domain*.
#### Example
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days.
![UI for Create GPO menu](images/waas-wufb-gp-create.png)
![illustration of devices divided into three rings](images/waas-wufb-3-rings.png)
4. In the **New GPO** dialog box, type **Windows Update for Business - CB2** for the name of the new GPO.
When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
>[!NOTE]
>In this example, youre linking the GPO to the top-level domain. This is not a requirement: you can link the Windows Update for Business GPOs to any organizational unit (OU) thats appropriate for your Active Directory Domain Services (AD DS) structure.
5. Right-click the **Windows Update for Business - CB2** GPO, and then click **Edit**.
##### Five days later
The devices in the fast ring are offered the quality update the next time they scan for updates.
![Edit menu for this GPO](images/waas-wufb-gp-cb2.png)
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
![illustration of devices with fast ring deployed](images/waas-wufb-fast-ring.png)
7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
##### Ten days later
Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CB**, set the feature update delay to **28** days, and then click **OK**.
![illustration of devices with slow ring deployed](images/waas-wufb-slow-ring.png)
![Settings for this GPO](images/waas-wufb-gp-cb2-settings.png)
Table 3 summarizes the category of updates in Windows 10, version 1607, and how long Windows Update for Business can defer its installation.
If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
**Table 3**
##### What if a problem occurs with the update?
<table>
<tr>
<th>Category</th>
<th>Maximum deferral</th>
<th>Deferral increments</th>
<th>Example</th>
<th>Classification GUID</th>
</tr>
<tr>
<td>Feature Updates</td>
<td>180 days</td>
<td>Days</td>
<td>From Windows 10, version 1511 to version 1607</td>
<td>3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</td>
</tr>
<tr>
<td rowspan="4">Quality Updates</td>
<td rowspan="4">30 days</td>
<td rowspan="4">Days</td>
<td>Security updates</td>
<td>0FA1201D-4330-4FA8-8AE9-B877473B6441</td>
</tr>
<tr>
<td>Drivers (optional)</td>
<td>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</td>
</tr>
<tr>
<td>Non-security updates</td>
<td>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</td>
</tr><tr><td>Microsoft updates (Office, Visual Studio, etc.)</td><td>varies</td></tr>
<tr>
<td>Non-deferrable</td>
<td>No deferral</td>
<td>No deferral</td>
<td>Definition updates</td>
<td>E0789628-CE08-4437-BE74-2495B842F43B</td>
</tr>
</table>
In this example, some problem is discovered during the deployment of the update to the "pilot" ring.
9. Close the Group Policy Management Editor.
![illustration of devices divided with pilot ring experiencing a problem](images/waas-wufb-pilot-problem.png)
Because the **Windows Update for Business CB2** GPO contains a computer policy and you only want to apply it to computers in the **Ring 2 Pilot Business Users** group, use **Security Filtering** to scope the policys effect.
At this point, the IT administrator can set a policy to pause the update. In this example, the admin selects the **Pause quality updates** check box.
### Scope the policy to the Ring 2 Pilot Business Users group
![illustration of rings with pause quality update check box selected](images/waas-wufb-pause.png)
1. In the GPMC, select the **Windows Update for Business - CB2** policy.
Now all devices are paused from updating for 35 days. When the the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again.
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 2 Pilot Business Users** group.
![Scope policy to group](images/waas-wufb-gp-scope-cb2.png)
The **Ring 2 Pilot Business Users** deployment ring has now been configured. Next, configure **Ring 4 Broad business users** to set those clients into the CBB servicing branch so that they receive feature updates as soon as theyre made available for the CBB servicing branch.
#### Set branch readiness level for feature updates
### Configure Ring 4 Broad business users policy
This policy only applies to feature updates. To enable preview builds for devices in your organization, set the "Enable preview builds" policy and then use the "Select when preview builds and feature updates are received" policy.
1. Open GPMC (gpmc.msc).
We recommend that you set up a ring to receive preview builds by joining the Windows Insider Program for Business. By having a ring of devices receiving "pre-release slow" builds and learning about commercial pre-release features, you can ensure that any issues you have with the release are fixed before it is ever released and far before you broadly deploy.
2. Expand **Forest** > **Domains** > *your domain*.
- Enable preview builds: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Manage Preview Builds**
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, type **Windows Update for Business - CBB1** for the name of the new GPO.
5. Right-click the **Windows Update for Business - CBB1** GPO, and then click **Edit**.
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
- Set branch readiness level: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are Received**
8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CBB**, and then click **OK**.
![Settings for this GPO](images/waas-wufb-gp-cbb1-settings.png)
9. Close the Group Policy Management Editor.
### Scope the policy to the Ring 4 Broad business users group
1. In the GPMC, select the **Windows Update for Business - CBB1** policy.
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 4 Broad business users** group.
The **Ring 4 Broad business users** deployment ring has now been configured. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates
### Configure Ring 5 Broad business users \#2 policy
1. Open GPMC (gpmc.msc).
2. Expand **Forest** > **Domains** > *your domain*.
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, type **Windows Update for Business - CBB2** for the name of the new GPO.
5. Right-click the **Windows Update for Business - CBB2** GPO, and then click **Edit**.
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CBB**, set the feature update delay to **14** days, and then click **OK**.
![Settings for this GPO](images/waas-wufb-gp-cbb2-settings.png)
9. Right-click **Select when Quality Updates are received**, and then click **Edit**.
10. In the **Select when Quality Updates are received** policy, enable it, set the quality update delay to **7** days, and then click **OK**.
![Settings for this GPO](images/waas-wufb-gp-cbb2q-settings.png)
11. Close the Group Policy Management Editor.
### Scope the policy to the Ring 5 Broad business users \#2 group
1. In the GPMC, select the **Windows Update for Business - CBB2** policy.
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 5 Broad business users #2** group.
## Known issues
The following article describes the known challenges that can occur when you manage a Windows 10 Group policy client base:
- [Known issues managing a Windows 10 Group Policy client in Windows Server 2012 R2](https://support.microsoft.com/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv)
## Related topics
- [Update Windows 10 in the enterprise](index.md)
@ -371,3 +142,8 @@ The following article describes the known challenges that can occur when you man
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)