Recommended settings for Windows Update for Business

Windows Update for Business (WU4B) is a key component of Microsoft’s Windows service strategy. It’s a free service that offers IT administrators an efficient and effective way to distribute and manage Windows updates on devices running Windows 10 or higher. In this blog post, we will delve into the nuances of WU4B, and quickly guide you through its setup in Microsoft Intune. Also I am going to share some insights to my best practices for you.

Understanding Windows Update for Business (WU4B)

WU4B provides control over the deployment of updates released through Windows Update. It is a part of the Windows Pro, Enterprise, and Education editions. WU4B is designed to be intuitive and provide businesses with the opportunity to directly control critical aspects of the update process such as when and how updates are deployed, which updates are installed, and whether to take immediate action to install critical updates.

Setting Up WU4B in Microsoft Intune

Setting up WU4B in Microsoft Intune involves a few key steps. Here’s a simple step-by-step guide:

Sign In to the Microsoft Endpoint Manager admin center: The first step is to log in to your Intune account. Create an Update Ring: Navigate to Devices > Windows > Windows 10 Update Rings > Create. This allows you to create ‚rings‘ or groups of devices for which you want to manage updates. I would recommend you to create at least 2 different rings.:

• The first ring is for testing purposes where devices get updates early and you can check if there will be any issues. You should assign at least one device per team of your organization to this ring and keep the user of the device in an information loop to see if all apps work with new updates.
• The second ring has a delay of the updates to stat you can wait for feedback from the first ring which acts as pilot devices/users and this ring scopes to all production devices.

Configure Settings: In this step, you can configure the settings for your update ring. This includes settings for software updates, quality updates, feature updates, and other options. In the next section I am going to show you settings that I usually configure for my environments. Assign the Update Ring: After configuring your settings, assign the update ring to a group of users or devices.

A suggestion for my established Windows Update settings from Microsoft Intune

So as I wrote earlier in this post I always create at least 2 different update rings. Now I will tell you what those update ring settings are and why I decided to use them. Those configurations are only an Idea of my best practice implementation – always check if the update settings match to your organization lifecycle.

Pilot Ring

This ring scopes on a dedicated device group where I put at least one device per organization team into. The user of this device has been asked upfront if he wants to be part of the early-adoption group and that he needs to give feedback if there are some issues after updates. You might ask how the user knows if he got updates installed – this can be handled with a proactive communication which you need to create and distribute when updates are scheduled.

As you can see I enable updates for all Microsoft products and Windows drivers. My pilot group usually gets a delay of 2 days for quality updates and 14 days for feature updates. The „Upgrade to Windows 11“ slider is enabled once the customer wants to move devices to Windows 11, but in this example I enabled it too. If there are issues with Quality updates is configured that they can be uninstalled manually with administrative privileges up to 60 days after installation. Of course in an enterprise environment you do not want to use pre-release builds as they are not stable so we let that on „Not configured“ which automatically indicates that we are using a stable build when deploying updates.

Next lets have a look on the User experience settings. Usually I configure working hours so that end-users will not be disturbed during their work times and updates will automatically be installed outside of those times. I think it is OK to let the user check for updates by themself so I like to enable the „Option to check for Windows updates“ but I want to disable all other update notifications to that the experience is mostly quiet. The last option for the deadline settings also is quiet usefully. You can define when updates are enforced to be installed when the user did not had the device online a while or always skipped the needed reboot.

Production Ring

And then there is my production ring which is assigned to devices that are uses productive and where full SLAs need to be fulfilled. The options and my decisions on how I configure them are similar to the pilot ring except that updates are more delayed. Often times this settings are agreed with the customers.

As well as the User experience settings, as you can see they are similar to the pilot group only the delay times are higher:

In my opinion it is very important to discuss those configurations with your customer and keep the users up to date with those settings. For the pilot group you definitely should keep in touch with those users across the organization and proactively inform them when updates or big changes like an In-Place upgrade to Windows 11 are on the way.

Conclusion

In conclusion, Windows Update for Business is an effective tool for managing and controlling Windows updates within a business environment. Its integration with Microsoft Intune simplifies the update process, providing a seamless experience for IT administrators. However, like any tool, getting the most out of WU4B requires understanding its core functionalities and applying the best practices. We hope this blog post has provided you with a clear understanding of WU4B and its setup in Microsoft Intune. With this knowledge, you are well-equipped to manage your Windows updates efficiently and effectively.