Jump to content

Recommended Posts

I want to make sure I understand this correctly. If I want to deploy Windows Updates to clients that are on the internet (part of our domain but never VPN in) and have those computers download the updates directly from Microsoft, I would only need to setup a Cloud Management Gateway and PKI (if not using AAD) or use Azure AD, correct?


If not, what would I need to setup to do this? 

Share this post

Link to post
Share on other sites

3 hours ago, anyweb said:

you could also use Windows Update for business policies to enforce this, much easier and configurable within ConfigMgr

You can configure it to allow controlled updates to clients that never connect to the domain or local network?

Share this post

Link to post
Share on other sites

it's all documented here


take a look at that and if you have any more questions then post back here

Share this post

Link to post
Share on other sites

it was linked to in the article, see https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb


Types of updates managed by Windows Update for Business

Windows Update for Business provides management policies for several types of updates to Windows 10 devices:

  • Feature updates: previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually in the fall and in the spring.
  • Quality updates: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and can configure devices to receive or not receive such updates along with their Windows updates.
  • Driver updates: these are non-Microsoft drivers that are applicable to your devices. Driver updates can be turned off by using Windows Update for Business policies.
  • Microsoft product updates: these are updates for other Microsoft products, such as Office. These updates can be enabled or disabled by using Windows Update for Business policy.


You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period.

Manage which updates are offered

Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates.

  • Drivers (on/off): When "on," this policy will not include drivers with Windows Update.
  • Microsoft product updates (on/off): When "on" this policy will install updates for other Microsoft products.

Manage when updates are offered

You can defer or pause the installation of updates for a set period of time.

Defer or pause an update

A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days). To defer feature updates use the Select when Preview Builds and Feature Updates are Received policy.

Category Maximum deferral
Feature updates 365 days
Quality updates 30 days
Non-deferrable none

Pause an update

If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days to prevent other devices from installing it until the issue is mitigated.

If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.

To pause feature updates use the Select when Preview Builds and Feature Updates are Received policy and to pause quality updates use the Select when Quality Updates are Received policy. For more information, see Pause feature updates and Pause quality updates.

Select branch readiness level for feature updates

The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates:

  • Windows Insider Program for Business pre-release updates
    • Windows Insider Fast
    • Windows Insider Slow
    • Windows Insider Release Preview
  • Semi-annual Channel for released updates

Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release’s Semi-annual Channel release date. To see release dates, visit Windows Release Information. You can set the branch readiness level by using the Select when Preview Builds and Feature Updates are Received policy. In order to use this to manage pre-release builds, first enable preview builds by using the Manage preview Builds policy.


For the best experience with Windows Update, follow these guidelines:

  • Use devices for at least 6 hours per month, including at least 2 hours of continuous use.
  • Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours.
  • Make sure that devices have at least 10 GB of free space.
  • Give devices unobstructed access to the Windows Update service.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...