How to take control of Windows 10 updates and upgrades (even if you don’t own a business)

 

How to take control of Windows 10 updates and upgrades (even if you don’t own a business)

Just upgraded to the latest Windows 10? Our to-do list

This article has been extensively updated to incorporate changes in Windows 10. The most recent update was January 17, 2018.

Microsoft delivered Windows Update for Business (a layer of configuration options that controls the free Windows Update service) as part of the very first feature update to Windows 10 four months after its initial 2015 release.

Since then, this much-needed feature has evolved steadily. It allows IT pros to set update policies for an organization. Using settings not available on consumer Windows editions, they can defer and delay updates and upgrades until they’ve been proven safe and reliable.

With the help of Windows Update for Business, you can delay receiving Patch Tuesday updates for up to 30 days. If you’d rather wait a week or two to ensure that an update won’t cause problems on a mission-critical PC, you can set a deferral period of, say, 14 days, giving yourself two weeks to monitor feedback from other users before the update automatically installs.

In addition, you can defer so-called feature updates (the twice yearly major version upgrades) by about four months by opting to wait until Microsoft declares that update ready for widespread deployment; you can add up to 365 days of additional deferral time after Microsoft makes a feature update available to your servicing channel in Windows Update.

Originally, all of these deferral options required the use of Group Policy settings, which are designed for network administrators to manage large groups of machines using Active Directory on a Windows domain.

You can use those same Group Policy settings on your own unmanaged PC, with no domain required, by using the Local Group Policy Editor (Gpedit.msc).

As of Windows 10 version 1709 (the Fall Creators Update), the task gets even simpler, with most Windows Update for Business options now available in the Settings app.

Windows Update for Business requires a PC or device that supports Group Policy, which means you need Windows 10 Pro, Enterprise, or Education. The device also needs to be configured for the Current Branch for Business. Neither option is available for PCs running Windows 10 Home, where all updates are automatic.

If you meet those requirements, follow these steps to get started.

Using the Windows 10 Settings app

On Windows 10 version 1709, you’ll find all of the Windows Update for Business options by going to Settings > Update & Security > Windows Update > Advanced Options. Under theChoose when updates are installed heading, you should see these three settings.

windows-update-for-business-settings.jpg
Options to defer when updates are installed are only available on Windows 10 Pro, Education, and Enterprise editions.

Here’s what each of these settings does:

  • From the first drop-down list, choose a “branch readiness level.” By default, this is Semi-Annual Channel (Targeted), previously known as Current Branch. This setting gives you feature updates as soon as Microsoft releases them to Windows Update. Choose Semi-Annual Channel (equivalent to the former Current Branch for Business) if you want to wait until Microsoft declares the feature update ready for widespread deployment. Typically, this is approximately four months after the update is initially released.
  • From the second drop-down list, choose an additional deferral time, up to 365 days, for feature updates. This deferral period applies to the servicing channel you chose in the previous setting. The default is 0.
  • From the last drop-down list, choose a deferral period of up to 30 days for quality updates such as those delivered each month on Patch Tuesday. Here, too, the default is 0.

It’s worth noting that these settings delay the automatic installation of updates. You can override them at any time by installing updates manually.

Using Group Policy

If you are running Windows 10 version 1703 or earlier, or if you are managing a large number of devices on a Windows domain, you can apply Windows Update for Business settings using Group Policy.

In an enterprise deployment, you’ll do all of the following with the Group Policy Editor or with Mobile Device Management software.

If you’re working with your personal PC or managing a small number of devices on a network that doesn’t have Active Directory, get started by opening the Local Group Policy Editor, Gpedit.msc. (If that instruction is confusing, you should stop right now. Seriously.)

Navigate through the Local Computer Policy tree in the left pane: Computer Configuration > Administrative Templates > Windows Components > Windows Update.

These settings have changed significantly over time. In Windows 10 version 1703, there’s an additional subfolder called Defer Windows Updates. In version 1709 and later, the subfolder is called Windows Update for Business.

In either version, you have separate options to defer feature updates and quality updates. Although the wording is slightly different depending on the version you’re running, the specific policy settings are the same. Here’s an example of what you’ll see if you choose Select when Preview Builds and Feature Updates are received in version 1709.

defer-windows-updates-group-policy.jpg
These settings have moved about as Windows 10 has evolved, but most IT pros should find them without too much hassle.

Double-click a single setting from this list to open a dialog box where you can define policies for the current PC. The Group Policy options let you do everything I described in the previous section using the Settings app in version 1709. (It also includes options to configure devices for different Windows Insider Preview rings.)

If you’re not experienced with Group Policy, note that for your update and upgrade schedules to be honored, you have to change this policy setting to Enabled. Set it to Disabled (or back to Not Configured) to restore default Windows 10 update settings.

Regardless of which method you choose, the end result is the same. If you set the delay for quality updates to one or two weeks, you can then watch carefully after each batch of Patch Tuesdayupdates arrives. If there are no problems, your updates install after the general public has tested them for you. Setting the “Delay updates” value to 30 days effectively puts you a month behind the general population.

If you discover that a pending update is potentially troublesome and you want to prevent it from installing after your deferred installation date, you can use the Pause button. In Windows 10 version 1709, this setting is below the Windows Update for Business settings, under the Pause Updates heading. Slide that switch to On and the updates will be blocked for another 35 days.

Using the Local Group Policy Editor, click the Pause Quality Updates starting check box and enter today’s date. This action effectively blocks all updates or upgrades; the machine will remain paused until you specifically clear the Pause check box (or reverse the associated policy). You can’t delay forever, though; after 35 days, updates resume automatically installing.

Note that definition updates for Microsoft’s security programs cannot be deferred. (If you install a non-Microsoft security program, its update controls take over and Microsoft’s definitions are not downloaded.)

Ironically, one Group Policy option available only in Enterprise and Education editions causes these settings to be completely ignored. If Allow Telemetry is set to 0 (that is, set to the lowest possible level), then Windows Update for Business settings have no effect.