deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #7951 from MicrosoftDocs/main

Browse Source 
Release Windows 2302
This commit is contained in:
Meghan Stewart 2023-02-28 06:07:54 -08:00 committed by GitHub
commit c23a36fa17
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 221 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
education/windows/configure-aad-google-trust.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure federation between Google Workspace and Azure AD title: Configure federation between Google Workspace and Azure AD
description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD. description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
ms.date: 02/10/2023 ms.date: 02/24/2023
ms.topic: how-to ms.topic: how-to
--- ---
@ -24,7 +24,8 @@ To test federation, the following prerequisites must be met:
1. A Google Workspace environment, with users already created 1. A Google Workspace environment, with users already created
> [!IMPORTANT] > [!IMPORTANT]
> Users require an email address defined in Google Workspace, which is used to match the users in Azure AD > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD.
> For more information about identity matching, see [Identity matching in Azure AD](federated-sign-in.md#identity-matching-in-azure-ad).
1. Individual Azure AD accounts already created: each Google Workspace user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example: 1. Individual Azure AD accounts already created: each Google Workspace user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
- School Data Sync (SDS) - School Data Sync (SDS)
- Azure AD Connect sync for environment with on-premises AD DS - Azure AD Connect sync for environment with on-premises AD DS
@ -38,14 +39,14 @@ To test federation, the following prerequisites must be met:
1. Select **Add app > Search for apps** and search for *microsoft* 1. Select **Add app > Search for apps** and search for *microsoft*
1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select** 1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
:::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app."::: :::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
1. On the *Google Identity Provider details* page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later 1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later
1. On the *Service provider details* page 1. On the **Service provider detail*s** page
- Select the option **Signed response** - Select the option **Signed response**
- Verify that the Name ID format is set to **PERSISTENT** - Verify that the Name ID format is set to **PERSISTENT**
- Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\ - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\
If using Google auto-provisioning, select **Basic Information > Primary email** If using Google auto-provisioning, select **Basic Information > Primary email**
- Select **Continue** - Select **Continue**
1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes 1. On the **Attribute mapping** page, map the Google attributes to the Azure AD attributes
|Google Directory attributes|Azure AD attributes| |Google Directory attributes|Azure AD attributes|
|-|-| |-|-|

100
education/windows/federated-sign-in.md
View File

@ -1,20 +1,21 @@
--- ---
title: Configure federated sign-in for Windows devices title: Configure federated sign-in for Windows devices
description: Description of federated sign-in feature for Windows 11 SE and how to configure it via Intune description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
ms.date: 01/12/2023 ms.date: 02/24/2023
ms.topic: how-to ms.topic: how-to
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
ms.collection: ms.collection:
- highpri - highpri
- tier1 - tier1
- education - education
--- ---
<!-- MAXADO-6286399 --> # Configure federated sign-in for Windows devices
# Configure federated sign-in for Windows 11 SE
Starting in Windows 11 SE, version 22H2, you can enable your users to sign-in using a SAML 2.0 identity provider (IdP). This feature is called *federated sign-in*. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in. Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via web sign-in.\
This feature is called *federated sign-in*.\
Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
## Benefits of federated sign-in ## Benefits of federated sign-in
@ -27,33 +28,44 @@ With fewer credentials to remember and a simplified sign-in process, students ar
To implement federated sign-in, the following prerequisites must be met: To implement federated sign-in, the following prerequisites must be met:
1. An Azure AD tenant, with one or multiple domains federated to a third-party SAML 2.0 IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1] 1. An Azure AD tenant, with one or multiple domains federated to a third-party IdP. For more information, see [What is federation with Azure AD?][AZ-1] and [Use a SAML 2.0 IdP for Single Sign On][AZ-4]
>[!NOTE] >[!NOTE]
>If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these [guidelines][MSFT-1]. >If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these [guidelines][MSFT-1].
>
>For a step-by-step guide on how to configure Google Workspace as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md). - For a step-by-step guide on how to configure **Google Workspace** as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md)
- For a step-by-step guide on how to configure **Clever** as an identity provider for Azure AD, see [Setup guide for Badges into Windows and Azure AD][EXT-1]
1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform 1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform
1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example: 1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
- [School Data Sync (SDS)][SDS-1] - [School Data Sync (SDS)][SDS-1]
- [Azure AD Connect sync][AZ-3] for environment with on-premises AD DS - [Azure AD Connect sync][AZ-3] for environment with on-premises AD DS
- PowerShell scripts that call the [Microsoft Graph API][GRAPH-1] - PowerShell scripts that call the [Microsoft Graph API][GRAPH-1]
- provisioning tools offered by the IdP - provisioning tools offered by the IdP
For more information about identity matching, see [Identity matching in Azure AD](#identity-matching-in-azure-ad).
1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2] 1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2]
1. Enable federated sign-in on the Windows devices that the users will be using 1. Enable federated sign-in on the Windows devices
> [!IMPORTANT]
> This feature is exclusively available for Windows 11 SE, version 22H2.
To use federated sign-in, the devices must have Internet access. This feature won't work without it, as the authentication is done over the Internet. To use federated sign-in, the devices must have Internet access. This feature won't work without it, as the authentication is done over the Internet.
## Enable federated sign-in on devices > [!IMPORTANT]
<!-- > WS-Fed is the only supported federated protocol to join a device to Azure AD. If you have a SAML 2.0 IdP, it's recommended to complete the Azure AD join process using one of the following methods:
To sign-in with a SAML 2.0 identity provider, your devices must be configured with different policies. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG). > - provisioning packages (PPKG)
> - Windows Autopilot self-deploying mode
### System requirements
Federated sign-in is supported on the following Windows SKUs and versions:
- Windows 11 SE, version 22H2 and later
- Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1]
## Configure federated sign-in
To use web sign-in with a federated identity provider, your devices must be configured with different policies. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:--> To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
To sign-in with a SAML 2.0 identity provider, your devices must be configured with different policies, which can be configured using Microsoft Intune.
[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] [!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
@ -69,25 +81,25 @@ To sign-in with a SAML 2.0 identity provider, your devices must be configured wi
[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] [!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] [!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
<!--
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure federated sign-in using a provisioning package, use the following settings: To configure federated sign-in using a provisioning package, use the following settings:
| Setting | | Setting |
|--------| |--------|
| <li> Path: **`FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Value: **Enabled**</li>| | <li> Path: **`FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>| | <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> Path: **`Policies/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>| | <li> Path: **`Policies/Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during he sign-in process, separated by a semicolon. For example: **`clever.com`**</li>| | <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true"::: :::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
Apply the provisioning package to the devices that require federated sign-in. Apply the provisioning package to the devices that require federated sign-in.
> [!IMPORTANT]
> There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
--- ---
-->
## How to use federated sign-in ## How to use federated sign-in
@ -106,24 +118,62 @@ Federated sign-in doesn't work on devices that have the following settings enabl
- **EnableSharedPCMode**, which is part of the [SharedPC CSP][WIN-1] - **EnableSharedPCMode**, which is part of the [SharedPC CSP][WIN-1]
- **Interactive logon: do not display last signed in**, which is a security policy part of the [Policy CSP][WIN-2] - **Interactive logon: do not display last signed in**, which is a security policy part of the [Policy CSP][WIN-2]
- **Take a Test**, since it leverages the security policy above - **Take a Test**, since it uses the security policy above
### Identity matching in Azure AD
When an Azure AD user is federated, the user's identity from the IdP must match an existing user object in Azure AD.
After the token sent by the IdP is validated, Azure AD searches for a matching user object in the tenant by using an attribute called *ImmutableId*.
> [!NOTE]
> The ImmutableId is a string value that **must be unique** for each user in the tenant, and it shouldn't change over time. For example, the ImmutableId could be the student ID or SIS ID. The ImmutableId value should be based on the federation setup and configuration with your IdP, so confirm with your IdP before setting it.
If the matching object is found, the user is signed-in. If not, the user is presented with an error message. The following picture shows that a user with the ImmutableId *260051* can't be found:
:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png":::
> [!IMPORTANT]
> The ImmutableId matching is case-sensitive.
The ImmutableId is typically configured when the user is created in Azure AD, but it can also be updated later.\
In a scenario where a user is federated and you want to change the ImmutableId, you must:
1. Convert the federated user to a cloud-only user (update the UPN to a non-federated domain)
1. Update the ImmutableId
1. Convert the user back to a federated user
Here's a PowerShell example to update the ImmutableId for a federated user:
```powershell
#1. Convert the user from federated to cloud-only
Get-AzureADUser -SearchString alton@example.com | Set-AzureADUser -UserPrincipalName alton@example.onmicrosoft.com
#2. Convert the user back to federated, while setting the immutableId
Get-AzureADUser -SearchString alton@example.onmicrosoft.com | Set-AzureADUser -UserPrincipalName alton@example.com -ImmutableId '260051'
```
## Troubleshooting ## Troubleshooting
- The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen - The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen
- Select the *Other User* button, and the standard username/password credentials are available to log into the device - Select the *Other User* button, and the standard username/password credentials are available to log into the device
[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp <!--links-->
[AZ-1]: /azure/active-directory/hybrid/whatis-fed
[AZ-2]: /azure/active-directory/enterprise-users/licensing-groups-assign [AZ-2]: /azure/active-directory/enterprise-users/licensing-groups-assign
[AZ-3]: /azure/active-directory/hybrid/how-to-connect-sync-whatis [AZ-3]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
[AZ-4]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
[GRAPH-1]: /graph/api/user-post-users?tabs=powershell [GRAPH-1]: /graph/api/user-post-users?tabs=powershell
[EXT-1]: https://support.clever.com/hc/s/articles/000001546
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 [MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[MSFT-1]: https://www.microsoft.com/download/details.aspx?id=56843 [MSFT-1]: https://www.microsoft.com/download/details.aspx?id=56843
[SDS-1]: /schooldatasync [SDS-1]: /schooldatasync
[KB-1]: https://support.microsoft.com/kb/5022913
[WIN-1]: /windows/client-management/mdm/sharedpc-csp [WIN-1]: /windows/client-management/mdm/sharedpc-csp
[WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin [WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin

BIN
education/windows/images/federated-sign-in-settings-ppkg.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 132 KiB

BIN
education/windows/images/federation/user-match-lookup-failure.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 666 KiB

2
windows/configuration/customize-taskbar-windows-11.md
View File

@ -29,7 +29,7 @@ For example, you can override the default set of apps with your own a set of pin
To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs. To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs.
This article shows you how to create the XML file, add apps to the XML, and deploy the XML file. This article shows you how to create the XML file, add apps to the XML, and deploy the XML file. To learn how to customize the taskbar buttons, see [CSP policies to customize Windows 11 taskbar buttons](supported-csp-taskbar-windows.md#csp-policies-to-customize-windows-11-taskbar-buttons).
## Before you begin ## Before you begin

52
windows/configuration/supported-csp-taskbar-windows.md
View File

@ -18,53 +18,65 @@ ms.topic: article
- Windows 11 - Windows 11
The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices.
This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start).
For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference). For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference).
## CSP policies to customize Windows 11 taskbar buttons
- [Search/ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode)
- Group policy: `Computer Configuration\Administrative Templates\Windows Components\Search\Configures search on the taskbar`
- Local setting: Settings > Personalization > Taskbar > Search
- [Start/HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton)
- Group policy: `Computer and User Configuration\Administrative Templates\Start Menu and Taskbar\Hide the TaskView button`
- Local setting: Settings > Personalization > Taskbar > Task view
- [NewsAndInterests/AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests)
- Group policy: `Computer Configuration\Administrative Templates\Windows Components\Widgets\Allow widgets`
- Local setting: Settings > Personalization > Taskbar > Widgets
- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#configurechaticonvisibilityonthetaskbar)
- Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat\Configure the Chat icon setting`
- Local setting: Settings > Personalization > Taskbar > Chat
## Existing CSP policies that Windows 11 taskbar supports ## Existing CSP policies that Windows 11 taskbar supports
- [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) - [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents` - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents`
- Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar - Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar) - [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar` - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar`
- Local setting: None - Local setting: None
- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#experience-configurechaticonvisibilityonthetaskbar)
- Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat`
- Local setting: Settings > Personalization > Taskbar > Chat
## Existing CSP policies that Windows 11 doesn't support ## Existing CSP policies that Windows 11 doesn't support
The following list includes some of the CSP policies that aren't supported on Windows 11: The following list includes some of the CSP policies that aren't supported on Windows 11:
- [TaskbarLockAll CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarlockall) - [ADMX_Taskbar/TaskbarLockAll](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarlockall)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings` - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings`
- [TaskbarNoAddRemoveToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoaddremovetoolbar) - [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoaddremovetoolbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars` - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars`
- [TaskbarNoDragToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnodragtoolbar) - [ADMX_Taskbar/TaskbarNoDragToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnodragtoolbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars` - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars`
- [TaskbarNoRedock CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoredock) - [ADMX_Taskbar/TaskbarNoRedock](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoredock)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location` - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location`
- [TaskbarNoResize CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoresize) - [ADMX_Taskbar/TaskbarNoResize](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoresize)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar` - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar`
- [NoToolbarsOnTaskbar CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notoolbarsontaskbar) - [ADMX_StartMenu/NoToolbarsOnTaskbar](/windows/client-management/mdm/policy-csp-admx-startmenu#notoolbarsontaskbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar` - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar`
- [NoTaskGrouping CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notaskgrouping) - [ADMX_StartMenu/NoTaskGrouping](/windows/client-management/mdm/policy-csp-admx-startmenu#notaskgrouping)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items` - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items`
- [HidePeopleBar CSP](/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar) - [ADMX_StartMenu/QuickLaunchEnabled](/windows/client-management/mdm/policy-csp-admx-startmenu#quicklaunchenabled)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar`
- [QuickLaunchEnabled CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-quicklaunchenabled)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar` - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar`
- [Start/HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar`

5
windows/configuration/windows-accessibility-for-ITPros.md
View File

@ -8,7 +8,6 @@ author: lizgt2000
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 09/20/2022
ms.topic: conceptual ms.topic: conceptual
ms.collection: tier1 ms.collection: tier1
appliesto: appliesto:
@ -60,7 +59,9 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
- [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes. - [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
- [Read in Braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants. - [Read in braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.
- Starting in Windows 11, version 22H2 with [KB5022913](https://support.microsoft.com/kb/5022913), the compatibility of braille displays has been expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience.
## Hearing ## Hearing

2
windows/deployment/TOC.yml
View File

@ -334,6 +334,8 @@
href: update/windows-update-overview.md href: update/windows-update-overview.md
- name: Servicing stack updates - name: Servicing stack updates
href: update/servicing-stack-updates.md href: update/servicing-stack-updates.md
- name: Update CSP policies
href: /windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Additional Windows Update settings - name: Additional Windows Update settings
href: update/waas-wu-settings.md href: update/waas-wu-settings.md
- name: Delivery Optimization reference - name: Delivery Optimization reference

67
windows/deployment/update/waas-configure-wufb.md
View File

@ -8,7 +8,7 @@ ms.localizationpriority: medium
ms.author: mstewart ms.author: mstewart
ms.topic: article ms.topic: article
ms.technology: itpro-updates ms.technology: itpro-updates
ms.date: 12/31/2017 ms.date: 02/28/2023
--- ---
# Configure Windows Update for Business # Configure Windows Update for Business
@ -27,7 +27,7 @@ ms.date: 12/31/2017
> [!NOTE] > [!NOTE]
> Windows Server _doesn't_ get feature updates from Windows Update, so only the quality update policies apply. This behavior doesn't apply to [Azure Stack hyperconverged infrastructure (HCI)](/azure-stack/hci/). > Windows Server _doesn't_ get feature updates from Windows Update, so only the quality update policies apply. This behavior doesn't apply to [Azure Stack hyperconverged infrastructure (HCI)](/azure-stack/hci/).
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this article provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
> [!IMPORTANT] > [!IMPORTANT]
> Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). > Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
@ -35,7 +35,7 @@ You can use Group Policy or your mobile device management (MDM) service to confi
## Start by grouping devices ## Start by grouping devices
By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups, which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization.
>[!TIP] >[!TIP]
>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsofts design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). >In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsofts design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/).
@ -68,7 +68,7 @@ Starting with Windows 10, version 1703, users can configure the branch readiness
After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October. For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` won't install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.
</br></br> </br></br>
@ -86,7 +86,7 @@ For example, a device on the General Availability Channel with `DeferFeatureUpda
## Pause feature updates ## Pause feature updates
You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again. You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again.
Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
@ -107,7 +107,7 @@ In cases where the pause policy is first applied after the configured start date
You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) will not reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: The local group policy editor (GPEdit.msc) won't reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
| Value | Status| | Value | Status|
| --- | --- | | --- | --- |
@ -119,7 +119,7 @@ The local group policy editor (GPEdit.msc) will not reflect whether the feature
>If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**. >If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**.
Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically: Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically:
- Any active restart notification are cleared or closed. - Any active restart notifications are cleared or closed.
- Any pending restarts are canceled. - Any pending restarts are canceled.
- Any pending update installations are canceled. - Any pending update installations are canceled.
- Any update installation running when pause is activated will attempt to roll back. - Any update installation running when pause is activated will attempt to roll back.
@ -164,7 +164,7 @@ In cases where the pause policy is first applied after the configured start date
You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) will not reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: The local group policy editor (GPEdit.msc) won't reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
| Value | Status| | Value | Status|
| --- | --- | | --- | --- |
@ -176,7 +176,7 @@ The local group policy editor (GPEdit.msc) will not reflect whether the quality
>If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**. >If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**.
Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically: Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically:
- Any active restart notification are cleared or closed - Any active restart notifications are cleared or closed
- Any pending restarts are canceled - Any pending restarts are canceled
- Any pending update installations are canceled - Any pending update installations are canceled
- Any update installation running when pause is activated will attempt to roll back - Any update installation running when pause is activated will attempt to roll back
@ -201,7 +201,7 @@ The policy settings to **Select when feature updates are received** allows you t
## Exclude drivers from quality updates ## Exclude drivers from quality updates
Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to feature updates, where drivers might be dynamically installed to ensure the feature update process can complete. Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy won't apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to feature updates, where drivers might be dynamically installed to ensure the feature update process can complete.
**Policy settings to exclude drivers** **Policy settings to exclude drivers**
@ -210,6 +210,21 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
| GPO for Windows 10, version 1607 or later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | | GPO for Windows 10, version 1607 or later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | | MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
## Enable features introduced via servicing that are off by default
<!--6544872-->
New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
The features that are turned off by default from servicing updates will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them.
**Policy settings to enable features introduced via servicing that are off by default**
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 11, version 22H2 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 11, version 22H2 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later ## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later
The following are quick-reference tables of the supported policy values for Windows Update for Business in Windows 10, version 1607 and later. The following are quick-reference tables of the supported policy values for Windows Update for Business in Windows 10, version 1607 and later.
@ -218,26 +233,28 @@ The following are quick-reference tables of the supported policy values for Wind
| GPO Key | Key type | Value | | GPO Key | Key type | Value |
| --- | --- | --- | | --- | --- | --- |
| BranchReadinessLevel | REG_DWORD | 2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709)</br> 4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709)</br> 8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709)</br></br>Other value or absent: receive all applicable updates | | AllowTemporaryEnterpriseFeatureControl </br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled.</br> Other value or absent: Features that are shipped turned off by default will remain off |
| DeferQualityUpdates | REG_DWORD | 1: defer quality updates</br>Other value or absent: dont defer quality updates | | BranchReadinessLevel | REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast </br> 4: Systems take feature updates for the Windows Insider build - Slow </br> 8: Systems take feature updates for the Release Windows Insider build </br></br> Other value or absent: Receive all applicable updates |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | | DeferFeatureUpdates | REG_DWORD | 1: Defer feature updates</br>Other value or absent: Don't defer feature updates |
| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates</br>Other value or absent: dont pause quality updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
|DeferFeatureUpdates | REG_DWORD | 1: defer feature updates</br>Other value or absent: dont defer feature updates | | DeferQualityUpdates | REG_DWORD | 1: Defer quality updates</br>Other value or absent: Don't defer quality updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: Defer quality updates by given days |
| PauseFeatureUpdatesStartTime | REG_DWORD |1: pause feature updates</br>Other value or absent: dont pause feature updates | | ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: Exclude Windows Update drivers</br>Other value or absent: Offer Windows Update drivers |
| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers</br>Other value or absent: offer Windows Update drivers | | PauseFeatureUpdatesStartTime | REG_DWORD |1: Pause feature updates</br>Other value or absent: Don't pause feature updates |
| PauseQualityUpdatesStartTime | REG_DWORD | 1: Pause quality updates</br>Other value or absent: Don't pause quality updates |
**MDM: HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\default\Update** **MDM: HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\default\Update**
| MDM Key | Key type | Value | | MDM Key | Key type | Value |
| --- | --- | --- | | --- | --- | --- |
| BranchReadinessLevel | REG_DWORD |2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709)</br> 4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709)</br> 8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709) </br>32: systems take feature updates from General Availability Channel </br>Note: Other value or absent: receive all applicable updates | | AllowTemporaryEnterpriseFeatureControl </br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled.</br> Other value or absent: Features that are shipped turned off by default will remain off |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | | BranchReadinessLevel | REG_DWORD |2: Systems take feature updates for the Windows Insider build - Fast </br> 4: Systems take feature updates for the Windows Insider build - Slow </br> 8: Systems take feature updates for the Release Windows Insider build </br>32: Systems take feature updates from General Availability Channel </br>Note: Other value or absent: Receive all applicable updates |
| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates</br>Other value or absent: dont pause quality updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: Defer quality updates by given days |
| PauseFeatureUpdatesStartTime | REG_DWORD | 1: pause feature updates</br>Other value or absent: dont pause feature updates | | ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: Exclude Windows Update drivers</br>Other value or absent: Offer Windows Update drivers |
| ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers</br>Other value or absent: offer Windows Update drivers | | PauseFeatureUpdatesStartTime | REG_DWORD | 1: Pause feature updates</br>Other value or absent: Don't pause feature updates |
| PauseQualityUpdatesStartTime | REG_DWORD | 1: Pause quality updates</br>Other value or absent: Don't pause quality updates |
## Update devices to newer versions ## Update devices to newer versions
@ -245,7 +262,7 @@ Due to the changes in Windows Update for Business, Windows 10, version 1607 uses
### How older version policies are respected on newer versions ### How older version policies are respected on newer versions
When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these are not present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent. When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these aren't present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent.
### Comparing keys in Windows 10, version 1607 to Windows 10, version 1703 ### Comparing keys in Windows 10, version 1607 to Windows 10, version 1703

34
windows/deployment/update/waas-wufb-csp-mdm.md
View File

@ -1,6 +1,6 @@
--- ---
title: Configure Windows Update for Business by using CSPs and MDM title: Configure Windows Update for Business by using CSPs and MDM
description: Walk-through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM. description: Walk through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM.
ms.prod: windows-client ms.prod: windows-client
author: mestew author: mestew
ms.localizationpriority: medium ms.localizationpriority: medium
@ -8,7 +8,7 @@ ms.author: mstewart
manager: aaroncz manager: aaroncz
ms.topic: article ms.topic: article
ms.technology: itpro-updates ms.technology: itpro-updates
ms.date: 12/31/2017 ms.date: 02/28/2023
--- ---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business # Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@ -16,7 +16,7 @@ ms.date: 12/31/2017
**Applies to** **Applies to**
- Windows 10 - Windows 10
- Windows 11 - Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@ -42,9 +42,9 @@ You can control when updates are applied, for example by deferring when an updat
Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device. Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
To enable Microsoft Updates use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice). To enable Microsoft Updates, use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
Drivers are automatically enabled because they are beneficial to device systems. We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate). Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to be updated on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate).
We also recommend that you allow Microsoft product updates as discussed previously. We also recommend that you allow Microsoft product updates as discussed previously.
@ -52,17 +52,17 @@ Drivers are automatically enabled because they are beneficial to device systems.
#### I want to receive pre-release versions of the next feature update #### I want to receive pre-release versions of the next feature update
1. Ensure that you are enrolled in the Windows Insider Program for Business. This is a completely free program available to commercial customers to aid them in their validation of feature updates before they are released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates. 1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
1. For any of test devices you want to install pre-release builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**. 1. For any of test devices you want to install pre-release builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**.
1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using pre-release builds for validation. 1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using pre-release builds for validation.
1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you are testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests. 1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
#### I want to manage which released feature update my devices receive #### I want to manage which released feature update my devices receive
A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you will not receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify. A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
- To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays) - To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays)
- To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdatesstarttime) - To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdatesstarttime)
@ -99,7 +99,7 @@ At this point, the IT administrator can set a policy to pause the update. In thi
![illustration of rings with pause quality update check box selected.](images/waas-wufb-pause.png) ![illustration of rings with pause quality update check box selected.](images/waas-wufb-pause.png)
Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again. Now all devices are paused from updating for 35 days. When the pause is removed, they'll be offered the *next* quality update, which ideally won't have the same issue. If there's still an issue, the IT admin can pause updates again.
@ -156,7 +156,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
![The notification users get for an impending restart prior to deadline.](images/wufb-update-deadline-warning.png) ![The notification users get for an impending restart prior to deadline.](images/wufb-update-deadline-warning.png)
- If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur: - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user receives this notification that the restart is about to occur:
![The notification users get for an impending restart 15 minutes prior to restart.](images/wufb-restart-imminent-warning.png) ![The notification users get for an impending restart 15 minutes prior to restart.](images/wufb-restart-imminent-warning.png)
@ -174,7 +174,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
There are additional settings that affect the notifications. There are additional settings that affect the notifications.
We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values: We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
**0** (default) Use the default Windows Update notifications<br/> **0** (default) Use the default Windows Update notifications<br/>
**1** Turn off all notifications, excluding restart warnings<br/> **1** Turn off all notifications, excluding restart warnings<br/>
@ -194,4 +194,16 @@ When you disable this setting, users will see **Some settings are managed by you
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess). If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess).
#### I want to enable features introduced via servicing that are off by default
<!--6544872-->
(*Starting in Windows 11, version 22H2 or later*)
New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
The features that are turned off by default from servicing updates will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them.
You can enable these features by using [AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol). The following options are available:
- **0** (default): Allowed. All features in the latest monthly cumulative update are enabled.
- When the policy is set to **0**, all features that are currently turned off will turn on when the device next reboots
- **1** - Not allowed. Features that are shipped turned off by default will remain off

55
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -1,6 +1,6 @@
--- ---
title: Configure Windows Update for Business via Group Policy title: Configure Windows Update for Business via Group Policy
description: Walk-through demonstration of how to configure Windows Update for Business settings using Group Policy. description: Walk through of how to configure Windows Update for Business settings using Group Policy.
ms.prod: windows-client ms.prod: windows-client
author: mestew author: mestew
ms.localizationpriority: medium ms.localizationpriority: medium
@ -10,7 +10,7 @@ ms.collection:
manager: aaroncz manager: aaroncz
ms.topic: article ms.topic: article
ms.technology: itpro-updates ms.technology: itpro-updates
ms.date: 12/31/2017 ms.date: 02/28/2023
--- ---
# Walkthrough: Use Group Policy to configure Windows Update for Business # Walkthrough: Use Group Policy to configure Windows Update for Business
@ -25,7 +25,7 @@ ms.date: 12/31/2017
## Overview ## Overview
You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) for more information. You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. For more information, see [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) for more information.
An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path **Computer configuration > Administrative Templates > Windows Components > Windows Update**. An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path **Computer configuration > Administrative Templates > Windows Components > Windows Update**.
@ -53,7 +53,7 @@ Follow these steps on a device running the Remote Server Administration Tools or
5. Right-click the **"Windows Update for Business - Group 1"** object, and then select **Edit**. 5. Right-click the **"Windows Update for Business - Group 1"** object, and then select **Edit**.
6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You are now ready to start assigning policies to this ring (group) of devices. 6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You're now ready to start assigning policies to this ring (group) of devices.
## Manage Windows Update offerings ## Manage Windows Update offerings
@ -64,9 +64,9 @@ You can control when updates are applied, for example by deferring when an updat
Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device. Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
To enable Microsoft Updates use the Group Policy Management Console go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Install updates for other Microsoft products**. To enable Microsoft Updates, use the Group Policy Management Console go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Install updates for other Microsoft products**.
Drivers are automatically enabled because they are beneficial to device systems. We recommend that you allow the driver policy to allow drivers to update on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use the Group Policy Management Console to go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** and enable the policy. Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to update on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use the Group Policy Management Console to go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** and enable the policy.
We also recommend that you allow Microsoft product updates as discussed previously. We also recommend that you allow Microsoft product updates as discussed previously.
@ -74,7 +74,7 @@ Drivers are automatically enabled because they are beneficial to device systems.
#### I want to receive pre-release versions of the next feature update #### I want to receive pre-release versions of the next feature update
1. Ensure that you are enrolled in the Windows Insider Program for Business. This is a completely free program available to commercial customers to aid them in their validation of feature updates before they are released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates. 1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release and receive emails and content related to what is coming in the next updates.
2. Use Group Policy Management Console to go to: **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Manage preview builds** and set the policy to **Enable preview builds** for any of test devices you want to install pre-release builds. 2. Use Group Policy Management Console to go to: **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Manage preview builds** and set the policy to **Enable preview builds** for any of test devices you want to install pre-release builds.
@ -84,18 +84,18 @@ Drivers are automatically enabled because they are beneficial to device systems.
#### I want to manage which released feature update my devices receive #### I want to manage which released feature update my devices receive
A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you will not receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify. A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
- To defer or pause a feature update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and feature updates are Received** - To defer or pause a feature update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and feature updates are Received**
- Defer or pause a quality update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received** - Defer or pause a quality update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received**
#### Example #### Example
In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days. In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of 10 days.
:::image type="content" alt-text="illustration of devices divided into three rings." source="images/waas-wufb-3-rings.png" lightbox="images/waas-wufb-3-rings.png"::: :::image type="content" alt-text="illustration of devices divided into three rings." source="images/waas-wufb-3-rings.png" lightbox="images/waas-wufb-3-rings.png":::
When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates. When the quality update is released, it's offered to devices in the pilot ring the next time they scan for updates.
##### Five days later ##### Five days later
The devices in the fast ring are offered the quality update the next time they scan for updates. The devices in the fast ring are offered the quality update the next time they scan for updates.
@ -103,11 +103,11 @@ The devices in the fast ring are offered the quality update the next time they s
:::image type="content" alt-text="illustration of devices with fast ring deployed." source="images/waas-wufb-fast-ring.png" lightbox="images/waas-wufb-fast-ring.png"::: :::image type="content" alt-text="illustration of devices with fast ring deployed." source="images/waas-wufb-fast-ring.png" lightbox="images/waas-wufb-fast-ring.png":::
##### Ten days later ##### Ten days later
Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates. Ten days after the quality update is released, it's offered to the devices in the slow ring the next time they scan for updates.
:::image type="content" alt-text="illustration of devices with slow ring deployed." source="images/waas-wufb-slow-ring.png" lightbox="images/waas-wufb-slow-ring.png"::: :::image type="content" alt-text="illustration of devices with slow ring deployed." source="images/waas-wufb-slow-ring.png" lightbox="images/waas-wufb-slow-ring.png":::
If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves. If no problems occur, all of the devices that scan for updates will be offered the quality update within 10 days of its release, in three waves.
##### What if a problem occurs with the update? ##### What if a problem occurs with the update?
@ -119,13 +119,13 @@ At this point, the IT administrator can set a policy to pause the update. In thi
:::image type="content" alt-text="illustration of rings with pause quality update check box selected." source="images/waas-wufb-pause.png" lightbox="images/waas-wufb-pause.png"::: :::image type="content" alt-text="illustration of rings with pause quality update check box selected." source="images/waas-wufb-pause.png" lightbox="images/waas-wufb-pause.png":::
Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again. Now all devices are paused from updating for 35 days. When the pause is removed, they'll be offered the *next* quality update, which ideally won't have the same issue. If there's still an issue, the IT admin can pause updates again.
#### I want to stay on a specific version #### I want to stay on a specific version
If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version, use the **Select the target feature update version** setting instead of using the **Specify when Preview Builds and feature updates are received** setting for feature update deferrals. When you use this policy, specify the version that you want your devices to use. If you don't update this before the device reaches end of service, the device will automatically be updated once it is 60 days past end of service for its edition. If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version, use the **Select the target feature update version** setting instead of using the **Specify when Preview Builds and feature updates are received** setting for feature update deferrals. When you use this policy, specify the version that you want your devices to use. If you don't update this before the device reaches end of service, the device will automatically be updated once it's 60 days past end of service for its edition.
When you set the target version policy, if you specify a feature update version that is older than your current version or set a value that isn't valid, the device will not receive any feature updates until the policy is updated. When you specify target version policy, feature update deferrals will not be in effect. When you set the target version policy, if you specify a feature update version that is older than your current version or set a value that isn't valid, the device won't receive any feature updates until the policy is updated. When you specify target version policy, feature update deferrals won't be in effect.
### Manage how users experience updates ### Manage how users experience updates
@ -135,7 +135,7 @@ We recommend that you allow to update automatically--this is the default behavio
For more granular control, you can set the maximum period of active hours the user can set with **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify active hours range for auto restart**. For more granular control, you can set the maximum period of active hours the user can set with **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify active hours range for auto restart**.
It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates are not disabled and provides a better experience when users can set their own active hours. If you do want to set active hours, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Turn off auto-restart for updates during active hours**. It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates aren't disabled and provides a better experience when users can set their own active hours. If you do want to set active hours, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Turn off auto-restart for updates during active hours**.
To update outside of the active hours, you don't need to set any additional settings: simply don't disable automatic restarts. For even more granular control, consider using automatic updates to schedule the install time, day, or week. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Auto download and schedule the install**. You can customize this setting to accommodate the time that you want the update to be installed for your devices. To update outside of the active hours, you don't need to set any additional settings: simply don't disable automatic restarts. For even more granular control, consider using automatic updates to schedule the install time, day, or week. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Auto download and schedule the install**. You can customize this setting to accommodate the time that you want the update to be installed for your devices.
@ -145,7 +145,7 @@ When you set these policies, installation happens automatically at the specified
We recommend that you use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline for automatic updates and restarts** for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. We recommend that you use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline for automatic updates and restarts** for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart.
This policies also offers an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours. This policy also offers an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
These notifications are what the user sees depending on the settings you choose: These notifications are what the user sees depending on the settings you choose:
@ -159,7 +159,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
![The notification users get for an impending restart prior to deadline.](images/wufb-update-deadline-warning.png) ![The notification users get for an impending restart prior to deadline.](images/wufb-update-deadline-warning.png)
- If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur: - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user receives this notification that the restart is about to occur:
![The notification users get for an impending restart 15 minutes prior to restart.](images/wufb-restart-imminent-warning.png) ![The notification users get for an impending restart 15 minutes prior to restart.](images/wufb-restart-imminent-warning.png)
@ -177,7 +177,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
There are additional settings that affect the notifications. There are additional settings that affect the notifications.
We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values: We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
**0** (default) - Use the default Windows Update notifications </br> **0** (default) - Use the default Windows Update notifications </br>
**1** - Turn off all notifications, excluding restart warnings </br> **1** - Turn off all notifications, excluding restart warnings </br>
@ -192,9 +192,24 @@ Still more options are available in **Computer Configuration > Administrative Te
#### I want to manage the update settings a user can access #### I want to manage the update settings a user can access
Every Windows device provides users with a variety of controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users. Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to “Pause updates**. Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to “Pause updates**.
When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out. When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out.
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows Update features**. If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows Update features**.
#### I want to enable features introduced via servicing that are off by default
<!--6544872-->
(*Starting in Windows 11, version 22H2 or later*)
New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
The features that are turned off by default from servicing updates will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them.
You can enable these features by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > Enable features introduced via servicing that are off by default**. The following options are available:
- **Enabled**: All features in the latest monthly cumulative update are enabled.
- When the policy is set to **Enabled**, all features that are currently turned off will turn on when the device next reboots
- **Disabled** - Features that are shipped turned off by default will remain off
- **Not configured** - Features that are shipped turned off by default will remain off