deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

added group policy material

Browse Source
This commit is contained in:
jaimeo
2019-05-23 14:55:55 -07:00
parent d079eb9840
commit d911d71600
1 changed files with 53 additions and 280 deletions
Download Patch File Download Diff File Expand all files Collapse all files

333
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -100,337 +100,110 @@ This policy enables devices to automatically download updates, even over metered
![UI for metered network control](images/waas-wufb-gp-metered-network.png) ![UI for metered network control](images/waas-wufb-gp-metered-network.png)
##### Notification controls
There is a policy that allows administrators to set the display options for update notifications. This policy provides three options: the default Windows Update for the operating system notifications, disable all notifications excluding restart notifications, and disable all notifications including restart notifications.
**Computer configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications**
------------------------------------------------- ![UI for displaying update notifications](images/waas-wufb-gp-update-notifications.png)
>[!IMPORTANT]
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
>
>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
Using Group Policy to manage Windows Update for Business is simple and familiar: use the same Group Policy Management Console (GPMC) you use to manage other device and user policy settings in your environment. Before configuring the Windows Update for Business Group Policy settings, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch.
>[!NOTES]
>The terms *feature updates* and *quality updates* in Windows 10, version 1607, correspond to the terms *upgrades* and *updates* in version 1511.
>To follow the instructions in this article, you will need to download and install the relevant ADMX templates for your Windows 10 version.
>See the following articles for instructions on the ADMX templates in your environment.
> - [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759)
> - [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/)
To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades.
## Configure Windows Update for Business in Windows 10 version 1511
In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md). Two policies related to the “Install Updates and Shut Down” option enable the IT Administrator to either fully remove this option from the **Shut Down Windows** dialog box or to remove “Install Updates and Shut Down” option as the default selection in the Windows dialog box.
- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as theyre released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices. **Computer configuration > Administrative Templates > Windows Components > Windows Update > Do not adjust default option to “Install Updates and Shut Down” in Shut Down Windows dialog box**
- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release.
>[!NOTE] ![UI for removing install updates and shut down option](images/waas-wufb-gp-do-not-adjust-install-update.png)
>Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only.
>
>Windows 10 version 1511 does not support deferment of CB builds of Windows 10, so you can establish only one CB deployment ring. In version 1607 and later, CB builds can be delayed, making it possible to have multiple CB deployment rings.
Complete the following steps on a PC running the Remote Server Administration Tools or on a domain controller.
### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral
1. Open GPMC (gpmc.msc). **Computer configuration > Administrative Templates > Windows Components > Windows Update > Do not display “Install Updates and Shut Down” option in Shut Down Windows dialog box**
2. Expand **Forest** > **Domains** > *your domain*. ![UI for removing install updates and shut down option](images/waas-wufb-gp-do-not-display-install-update.png)
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**. ##### Automatic Update notification controls
![UI for Create GPO menu](images/waas-wufb-gp-create.png) The "Configure automatic updates" policy enables administrators to specify whether computers will receive security updates and other important downloads through the Windows automatic updating service. This policy also enables the ability to schedule installation.
4. In the **New GPO** dialog box, type **Windows Update for Business - CBB1** for the name of the new GPO.
>[!NOTE] Additionally, you can specify whether automatic updates should automatically install certain updates that neither interrupt Windows services nor restart windows. Yu can also allow non-administrators to receive update notifications based on the configure automatic updates policy.
>In this example, youre linking the GPO to the top-level domain. This is not a requirement: you can link the Windows Update for Business GPOs to any organizational unit (OU) thats appropriate for your Active Directory Domain Services (AD DS) structure.
5. Right-click the **Windows Update for Business - CBB1** GPO, and then click **Edit**. **Computer configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates**
![UI for Edit GPO](images/waas-wufb-gp-edit.png) ![UI for configure automatic updates](images/waas-wufb-gp-configure-automatic-updates.png)
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**.
7. Right-click **Defer Upgrades and Updates**, and then click **Edit**. **Computer configuration > Administrative Templates > Windows Components > Windows Update > Allow Automatic Updates immediate installation**
![UI to edit Defer Upgrades and Updates](images/waas-wufb-gp-edit-defer.png) ![UI for allow automatic updates](images/waas-wufb-gp-allow-automatic-updates.png)
In the **Defer Upgrades and Updates** Group Policy setting configuration, you see several options:
- **Enable/Disable Deferred Updates**. Enabling this policy setting sets the receiving client to the CBB servicing branch. Specifically disabling this policy forces the client into the CB servicing branch, making it impossible for users to change it.
- **Defer upgrades for the following**. This option allows you to delay feature updates up to 8 months, a number added to the default CBB delay (approximately 4 months from CB). By using Windows Update for Business, you can use this option to stagger CBB feature updates, making the total offset up to 12 months from CB.
- **Defer updates for the following**. This option allows you to delay the installation of quality updates on a Windows 10 device for up to 4 weeks, allowing for phased rollouts of updates in your enterprise, but not all quality updates are deferrable with this option. Table 1 shows the deferment capabilities by update type.
- **Pause Upgrades and Updates**. Should an issue arise with a feature update, this option allows a one-time skip of the current months quality and feature update. Quality updates will resume after 35 days, and feature updates will resume after 60 days. For example, deploy this setting as a stand-alone policy to the entire organization in an emergency.
Table 1 summarizes the category of update in Windows 10 and how long Windows Update for Business can defer its installation.
**Table 1**
<table>
<tr>
<th>Category</th>
<th>Maximum deferral</th>
<th>Deferral increments</th>
<th>Classification type</th>
<th>Classification GUID</th>
</tr>
<tr>
<td>OS upgrades</td>
<td>8 months</td>
<td>1 month</td>
<td>Upgrade</td>
<td>3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</td>
</tr>
<tr>
<td rowspan="3">OS updates</td>
<td rowspan="3">4 weeks</td>
<td rowspan="3">1 week</td>
<td>Security updates</td>
<td>0FA1201D-4330-4FA8-8AE9-B877473B6441</td>
</tr>
<tr>
<td>Drivers</td>
<td>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</td>
</tr>
<tr>
<td>Updates</td>
<td>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</td>
</tr>
<tr>
<td>Other/non-deferrable</td>
<td>No deferral</td>
<td>No deferral</td>
<td>Definition updates</td>
<td>E0789628-CE08-4437-BE74-2495B842F43B</td>
</tr>
</table>
Simply enabling the **Defer Upgrades and Updates** policy sets the receiving client to the CBB servicing branch, which is what you want for your first deployment ring, **Ring 4 Broad business users**. **Computer configuration > Administrative Templates > Windows Components > Windows Update > Allow non-administrators to receive update notifications**
8. Enable the **Defer Updates and Upgrades** setting, and then click **OK**.
9. Close the Group Policy Management Editor. ![UI for allow non-admin automatic updates](images/waas-wufb-gp-allow-automatic-updates.png)
Because the **Windows Update for Business - CBB1** GPO contains a computer policy and you only want to apply it to computers in the **Ring 4 Broad business users** group, use **Security Filtering** to scope the policys effect. ##### Scheduling
### Scope the policy to the Ring 4 Broad business users group Admins can enable Windows to automatically wake up systems to install scheduled updates.
1. In the GPMC, select the **Windows Update for Business - CBB1** policy. **Computer configuration > Administrative Templates > Windows Components > Windows Update > Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates**
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 4 Broad business users** group. ![UI for allowing updates to wake up devices](images/waas-wufb-gp-wake-up-updates.png)
![Scope policy to group](images/waas-wufb-gp-scope.png) #### Restart controls
The **Ring 4 Broad business users** deployment ring has now been configured. Next, configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 2-week delay for feature updates. ##### Restart controls for scheduled installations
You can re-prompt to restart a device after scheduled installations. Specify the amount of time for Automatic Updates to wait before prompting again with a scheduled restart; the default is 10 minutes. YOu can also delay restart for scheduled installations or specify that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.
### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals **Computer configuration > Administrative Templates > Windows Components > Windows Update > Re-prompt for restart with scheduled installations**
1. Open GPMC (gpmc.msc). ![UI for re-prompt for restart](images/waas-wufb-gp-re-prompt-restart.png)
2. Expand **Forest** > **Domains** > *your domain*. **Computer configuration > Administrative Templates > Windows Components > Windows Update > Delay Restart for scheduled installations**
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
![UI for Create GPO menu](images/waas-wufb-gp-create.png)
4. In the **New GPO** dialog box, type **Windows Update for Business - CBB2** for the name of the new GPO.
5. Right-click the **Windows Update for Business - CBB2** GPO, and then click **Edit**.
![UI for Edit GPO](images/waas-wufb-gp-edit.png)
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**.
7. Right-click **Defer Upgrades and Updates**, and then click **Edit**.
8. Enable the **Defer Updates and Upgrades** setting, configure the **Defer upgrades for the following** option for 1 month, and then configure the **Defer updates for the following** option for 1 week.
![Example of policy settings](images/waas-wufb-gp-broad.png)
9. Click **OK** and close the Group Policy Management Editor.
### Scope the policy to the Ring 5 Broad business users \#2 group
1. In the GPMC, select the **Windows Update for Business - CBB2** policy.
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 5 Broad business users \#2** group.
## Configure Windows Update for Business in Windows 10 version 1607 ![UI for delay restart](images/waas-wufb-gp-delay-restart.png)
To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades. **Computer configuration > Administrative Templates > Windows Components > Windows Update > No auto-restart with logged on users for scheduled automatic updates installations**
In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates: ![UI for no auto-restart](images/waas-wufb-gp-no-auto-restart.png)
- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 4 weeks after they are released. **Computer configuration > Administrative Templates > Windows Components > Windows Update > Reschedule Automatic Updates scheduled installations**
- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch.
- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days.
In this example, you configure and scope the update schedules for all three groups. ![UI for resched-auto-updates](images/waas-wufb-gp-resched-auto-updates.png)
### Configure Ring 2 Pilot Business Users policy ##### Auto-restart and deadline for auto-restart
1. Open GPMC (gpmc.msc). You can control the restart experience of end users with a number of policies. When these policies are not configured, the users' active hours will be in effect. This enables the IT admin to turn off auto-restart for updates during active hours, set the maximum active hours range for auto-restarts, always automatically restart at the scheduled time instead of notifying for two or more days prior, specify a deadline before the device tries to auto-restart outside of active hours (this deadline can be set to varying days for feature and quality updates with a default at 7 days), and configure auto-restart reminder notifications or turn them off completely.
2. Expand **Forest** > **Domains** > *your domain*. **Computer configuration > Administrative Templates > Windows Components > Windows Update > Turn off auto-restart for updates during active hours**
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**. **Computer configuration > Administrative Templates > Windows Components > Windows Update > Specify active hours range for auto-restarts**
![UI for Create GPO menu](images/waas-wufb-gp-create.png) **Computer configuration > Administrative Templates > Windows Components > Windows Update > Always automatically restart at the scheduled time**
4. In the **New GPO** dialog box, type **Windows Update for Business - CB2** for the name of the new GPO. **Computer configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation**
>[!NOTE] **Computer configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart reminder notifications for updates**
>In this example, youre linking the GPO to the top-level domain. This is not a requirement: you can link the Windows Update for Business GPOs to any organizational unit (OU) thats appropriate for your Active Directory Domain Services (AD DS) structure.
5. Right-click the **Windows Update for Business - CB2** GPO, and then click **Edit**.
![Edit menu for this GPO](images/waas-wufb-gp-cb2.png) **Computer configuration > Administrative Templates > Windows Components > Windows Update > Turn off auto-restart notifications for update installations**
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
7. Right-click **Select when Feature Updates are received**, and then click **Edit**. **Computer configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart required notification for updates**
8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CB**, set the feature update delay to **28** days, and then click **OK**. ##### Engaged restart and deadline for engaged restart
![Settings for this GPO](images/waas-wufb-gp-cb2-settings.png) The engaged restart policy allows the administrator to control the timing before transitioning from an auto-restart scheduled outside of active hours to engaged restart, which requires the user to schedule the restart. With this one policy, you can schedule the transition (time before transitioning from auto to engaged), the snooze (how many days the user can snooze a restart reminder), and deadline (the deadline before a pending restart will automatically be executed outside of active hours).
Table 3 summarizes the category of updates in Windows 10, version 1607, and how long Windows Update for Business can defer its installation.
**Table 3** **Computer configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates**
<table> ## Other policies for Windows Updates
<tr>
<th>Category</th>
<th>Maximum deferral</th>
<th>Deferral increments</th>
<th>Example</th>
<th>Classification GUID</th>
</tr>
<tr>
<td>Feature Updates</td>
<td>180 days</td>
<td>Days</td>
<td>From Windows 10, version 1511 to version 1607</td>
<td>3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</td>
</tr>
<tr>
<td rowspan="4">Quality Updates</td>
<td rowspan="4">30 days</td>
<td rowspan="4">Days</td>
<td>Security updates</td>
<td>0FA1201D-4330-4FA8-8AE9-B877473B6441</td>
</tr>
<tr>
<td>Drivers (optional)</td>
<td>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</td>
</tr>
<tr>
<td>Non-security updates</td>
<td>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</td>
</tr><tr><td>Microsoft updates (Office, Visual Studio, etc.)</td><td>varies</td></tr>
<tr>
<td>Non-deferrable</td>
<td>No deferral</td>
<td>No deferral</td>
<td>Definition updates</td>
<td>E0789628-CE08-4437-BE74-2495B842F43B</td>
</tr>
</table>
9. Close the Group Policy Management Editor. All of these policies are under **Computer configuration > Administrative Templates > Windows Components > Windows Update**:
Because the **Windows Update for Business CB2** GPO contains a computer policy and you only want to apply it to computers in the **Ring 2 Pilot Business Users** group, use **Security Filtering** to scope the policys effect. - Enable Client Side targeting
- Update power policy for cart restarts
- Policies related to Microsoft update service location
- Allow signed updates from an intranet Microsoft service location
- Specify intranet Microsoft update service location
- Do not connect to any Windows Update Intranet locations
### Scope the policy to the Ring 2 Pilot Business Users group
1. In the GPMC, select the **Windows Update for Business - CB2** policy.
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 2 Pilot Business Users** group.
![Scope policy to group](images/waas-wufb-gp-scope-cb2.png)
The **Ring 2 Pilot Business Users** deployment ring has now been configured. Next, configure **Ring 4 Broad business users** to set those clients into the CBB servicing branch so that they receive feature updates as soon as theyre made available for the CBB servicing branch.
### Configure Ring 4 Broad business users policy
1. Open GPMC (gpmc.msc).
2. Expand **Forest** > **Domains** > *your domain*.
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, type **Windows Update for Business - CBB1** for the name of the new GPO.
5. Right-click the **Windows Update for Business - CBB1** GPO, and then click **Edit**.
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CBB**, and then click **OK**.
![Settings for this GPO](images/waas-wufb-gp-cbb1-settings.png)
9. Close the Group Policy Management Editor.
### Scope the policy to the Ring 4 Broad business users group
1. In the GPMC, select the **Windows Update for Business - CBB1** policy.
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 4 Broad business users** group.
The **Ring 4 Broad business users** deployment ring has now been configured. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates
### Configure Ring 5 Broad business users \#2 policy
1. Open GPMC (gpmc.msc).
2. Expand **Forest** > **Domains** > *your domain*.
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, type **Windows Update for Business - CBB2** for the name of the new GPO.
5. Right-click the **Windows Update for Business - CBB2** GPO, and then click **Edit**.
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CBB**, set the feature update delay to **14** days, and then click **OK**.
![Settings for this GPO](images/waas-wufb-gp-cbb2-settings.png)
9. Right-click **Select when Quality Updates are received**, and then click **Edit**.
10. In the **Select when Quality Updates are received** policy, enable it, set the quality update delay to **7** days, and then click **OK**.
![Settings for this GPO](images/waas-wufb-gp-cbb2q-settings.png)
11. Close the Group Policy Management Editor.
### Scope the policy to the Ring 5 Broad business users \#2 group
1. In the GPMC, select the **Windows Update for Business - CBB2** policy.
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 5 Broad business users #2** group.
## Known issues ## Known issues
The following article describes the known challenges that can occur when you manage a Windows 10 Group policy client base: The following article describes the known challenges that can occur when you manage a Windows 10 Group policy client base: