With the Windows 10 November update, Microsoft updated Windows Update for Business. The new Defer Upgrades and Update Group Policy allows admins to defer upgrades up to eight months and certain updates up to four weeks. This article gives you the background knowledge to understand the consequences of this policy in detail.

When Microsoft started talking about Windows Update for Business (WUB), IT bloggers speculated whether it is a new product and if it could possibly replace Windows Update Services (WSUS). It now appears that Windows Update for Business is mostly just a fancy name for the ability to defer updates and upgrades for a certain time. However, WUB can indeed replace WSUS in some networks. I will say a little about the WSUS vs. WUB topic below.

Windows Update branches ^

With the November update, updating Windows got a bit more flexible (and complicated) than before. Previously, we had four different update speeds for Windows 10: Windows Insider Preview Branch, Current Branch (sometimes also called Consumer Branch [CB]), Current Branch for Business (CBB), and the Long-Term Servicing Branch (LTSB).

If you are running Windows 10 with the default settings in your business, you are automatically in the CB. To switch to the CBB, you have to enable Defer Upgrades in the Advanced Options of the Windows 10 settings (Settings > Update & security > Windows Update).

Defer upgrades in Windows 10 setting

Defer upgrades in Windows 10 settings

If you want to do this for all Windows 10 machines in your network, you can use the Group Policy Defer Upgrades in Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update. This makes you a WUB user, and you will now receive feature updates (upgrades) at least four months later than users in the CB receive them.

Defer upgrades GPO in Windows 10

Defer upgrades GPO in Windows 10

Note that you need the ADMX templates for Windows 10 on a Windows Server 2012 R2 computer.

Defer Upgrades and Updates ^

The new thing about the November update is that, within the CBB, we now have a few more different update speeds.

You’ll need the new ADMX templates for Windows 10 version 1511, which you can download via the same download page as for the original Windows 10 templates.

Download ADMX templates for Windows 10 version 1511

Download ADMX templates for Windows 10 version 1511

As you can see in the screenshot below, the name of the policy has changed. Instead of “Defer Upgrades,” it is now called “Defer Upgrades and Updates.” Updates include hotfixes and security updates, and you may defer these patches up to four weeks.

Defer Upgrades and Updates GPO in the Windows 10 November update

Defer Upgrades and Updates GPO in the Windows 10 November update

This policy does not affect definition updates for Microsoft security programs (for instance, Windows Defender). Those updates will always be installed as soon as they become available. You can now defer upgrades (feature updates) up to eight months.

I think we can say that the November update introduces new update rings within the CBB. Just as we have a slow and a fast ring in the Windows Insider Branch, we can now configure different update speeds within the CBB.

These rings correspond to your deployment and validation groups (another Microsoft concept), which are the device groups in your organization with different update speeds.

Pause Upgrades and Updates ^

The switch Pause Upgrades and Updates is interesting. Most bloggers who covered the topic just copied the policy description, and I wonder if they really got the point about this setting. Actually, I am unsure if I really understand the explanation. This is my interpretation:

It seems the Pause Upgrades and Updates switch allows you to further delay updates and upgrades. Let’s say you configured the policy to install upgrades after eight months, and a certain upgrade would now be ready to be installed. If you enabled the switch, this upgrade would still not be installed until the next monthly update, which can be up to an additional 35 days (for some reason, Microsoft believes that a month has five weeks).

Confusing in the description is the sentence “Once a new update or upgrade is available, the value will go back to the previously selected option, re-enabling your validation groups.” (Note: I corrected the typo in the original description.)

I think the writer of this description wants to tell us that the updates and upgrades will be forced on the computer after a maximum of 35 days even if you selected Pause Upgrades and Updates. And “re-enabling validation groups” just means that the other two settings in this policy will be taken into account because—as mentioned above—validation groups are the device groups with different update speeds that you can define with this policy.

Of course, the value of your Group Policy setting will not be changed automatically (go back to the previously selected option) as the Group Policy description seems to imply. Thus, the machines will stay in this “paused” state until you deselect this value manually. To avoid confusion, I think Microsoft should rename this switch to something like “Further delay upgrades and updates (a few more days)” because “pausing” means stopping, and this is not what this switch actually does.

Effect on Windows 10 settings ^

It is interesting to note that, when you defer upgrades and updates via Group Policy, the corresponding switch in the Windows 10 settings stays unchecked. This was different in the old Defer Upgrades policy.

However, when I enabled Pause Upgrades and Updates (plus gpupdate and reboot), the switch in the Windows 10 settings was activated; when I then set the policy back to Not Configured, the switch stayed activated even though gpresult indicated that the policy was no longer active (after several reboots). I suppose this new policy is not yet ready for prime time.

Defer upgrades in Windows 10 settings are controlled via Group Policy

Defer upgrades in Windows 10 settings is controlled via Group Policy

Allow Telemetry policy ^

The description of the Defer Upgrades and Updates policy also states that the settings have no effect if the Allow Telemetry policy is set to 0 (Computer Configuration > Policies > Administrative Templates > Windows Components > Data Collection Preview Builds). The policy determines what kind of data is sent to Microsoft for diagnostic and usage analysis.

A setting of 0 corresponds to the security level. Interestingly, this configuration does not mean that zero data is sent to Microsoft. This telemetry level is only available for Windows 10 Enterprise and Education. Thus, if you are running Windows 10 Pro, you don’t have to worry that this policy interferes with your update policy because your telemetry settings are then at least at the basic level anyway.

Allow Telemetry policy

Allow Telemetry policy

The reason the telemetry policy has to be set at least to basic is that, at this level, information about successful or unsuccessful Windows Update operations is sent to Microsoft. Obviously, Microsoft’s Windows Update service needs to know the state of your machines with regard to Windows updates to determine what updates and upgrades it has to send.

Windows 10 version 1511 ^

The new Defer Upgrades and Updates policy will only work if you apply it to Windows 10 version 1511 machines. I applied the policy to a Windows 10 installation in the Current Branch; even though I could see the settings with gpresult /v, I didn’t notice any update delays. (But this needs further testing.)

Displaying Defer Upgrades and Updates policy with gpresult

Displaying Defer Upgrades and Updates policy with gpresult

Thus, you should put the Windows 10 machines of a certain deployment and validation group in a separate OU so that you can easily apply the correct update policy.

WSUS vs. WUB ^

Neither the old Defer Upgrades nor the new Defer Upgrades and Updates policy has relevance for you if you are using Windows Server Update Services (WSUS) or a third-party patch management solution. Windows Update for Business (WUB) is only for those businesses that rely on Microsoft’s Windows Update service to deploy Windows updates.

In the beginning of the article, I mentioned that WUB has been considered as an alternative for WSUS, and this is actually true. Like WSUS, WUB enables you to decide when updates and upgrades are installed on specific machines. With the November update, Microsoft improved this capability. However, WSUS certainly gives you much better control here, which is why WUB is only of interest to small businesses.

It is interesting to note that WUB has another feature that makes it a WSUS contender. It is the peer-to-peer delivery technology for Windows updates, also known as Windows Update Delivery Optimization (WUDO). Many organizations only installed WSUS so that not every update has to be downloaded multiple times. Thanks to WUDO, WUB can replace WSUS as a local cache for Windows updates.

System Center Configuration Manager integration ^

Yet another feature that Microsoft promised when WUB was introduced to the public was the integration with other Microsoft products. With the release of System Center Configuration Manager Technical Preview 4, Microsoft is beginning to fulfill this promise.

SCCM now allows you to list computers that WUB controls. I suppose this is nothing more than reading the registry setting that the Group Policy settings discussed in this post leave behind. As mentioned above, if you use Configuration Manager to deploy patches and feature updates, you don’t really need WUB.

Conclusion ^

At first sight, it appears that updating Windows has become a lot more complicated. All those branches and rings can be quite confusing. Determining when a certain update will actually be installed on a certain machine can cause you headaches.

However, in practice, I believe that admins will use these new WUB settings just to express their political attitude with regard to updates. Conservative admins of the let’s-stick-with-what-we-know branch will exhaust WUB’s defer features as far as possible. Progressive admins who want their users to benefit from the latest Windows 10 enhancements as soon as possible only need WUB’s WUDO feature.

And, if you work for a business where it is important to determine exactly when and where an upgrade or update is installed, Windows Update for Business is not for you anyway.

11 Comments
  1. Florian 6 years ago

    Hi,

    it seems, there were new options introduced with Win 10 1607.

    Now I can’t choose to delay upgrades up to 8 month but to stay on “Current Branch for Business” and additionally delay the upgrade by 180 days. (And even more with the “Pause Upgrade” switch)

    To my understanding, this means:

    1607 is not yet on CBB. With the policy set to stay on CBB, 1607 will not be forced to my computers.

    When MS some day puts 1607 in the CBB, it would be installed on my PCs, BUT with the second option I can further delay this upgrade by another 180 days.

     

    Do you think this is the way it works? And another question: Do my computers need 1607 for the new policy to take effect?

    Thanks in advance!

     

    Regards, Florian

    • Author
      Michael Pietroforte 6 years ago

      There are indeed changes in Windows 10 1607 with regard to Windows Update. However, I don’t see those additional settings you mentioned. Can you upload a screenshot in the forum where you marked these additional settings?

  2. Anil 6 years ago

    You  may defer upgrades, but then when you do want to install them, how do you do it?

  3. Moes 6 years ago

    When you put a machine in cbb, updates will be delayed 4 months from the time the update was pushed to cb. In  1511 you can configury an addional 8 months by  gpo. In 1607 the additional 8 months is decreased to an additional 180 days. So 4 months cb + 6 months cbb = 10 months.

    I think, if you use sccm, after a max of 12 months the 1607 update will be pushed automatically, can someone confirm this.

     

  4. AcetiK 6 years ago

    Hi,

    We manage our clients through SCCM but we haven’t deployed the new 1607 update but for some reason, some clients (Windows 10 Ent. 1511) are now in 1607…. by themselves….

  5. chutchawan 6 years ago

    if i  have wsus how i update windows 10 CBB and LTSB on WSUS.

  6. Eric 6 years ago

    However, when I enabled Pause Upgrades and Updates (plus gpupdate and reboot), the switch in the Windows 10 settings was activated; when I then set the policy back to Not Configured, the switch stayed activated even though gpresult indicated that the policy was no longer active (after several reboots). I suppose this new policy is not yet ready for prime time.

    Actually the trick here is once you have disabled the group policy change, simply manually asking Windows to “check for updates” will reset the deferral button, now it will be actionable and unchecked once an update check runs.

  7. Author
    Michael Pietroforte 6 years ago

    That’s interesting. Thanks for the tip!

  8. Frank 5 years ago

    So, delay 1697 for 8 months… 8 months from when????

    • Author
      Michael Pietroforte 5 years ago

      It has been a while since I wrote the article, but I guess the cutoff date is when the update is officially released in the corresponding branch.

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account