The Updates tab of the Microsoft Silverlight Configuration dialog box enables you to specify when to check for, download, and install Silverlight updates. Why are some settings unavailable? Certain computer configurations can disable features of the Silverlight auto-updater. If Update Options is missing under Product Information, and the About button is the only option available, you either have a volume license or your company is using Group Policy to manage Office updates. Try Microsoft Update to get the latest updates or contact your company help desk. To download an update manually, see Office Updates.
Applies to
Looking for consumer information? See Windows Update: FAQ
Overview
You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See Prepare servicing strategy for Windows 10 updates for more information.
An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path Computer configuration > Administrative Templates > Windows Components > Windows Update.
To manage updates with Windows Update for Business as described in this article, you should prepare with these steps, if you haven't already:
Set up Windows Update for Business
In this example, one security group is used to manage updates. Typically we would recommend having at least three rings (early testers for pre-release builds, broad deployment for releases, critical devices for mature releases) to deploy. See Build deployment rings for Windows 10 updates for more information.
Follow these steps on a device running the Remote Server Administration Tools or on a domain controller:
Set up a ring
Manage Windows Update offerings
You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time.
Determine which updates you want offered to your devices
Both Windows 10 feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
To enable Microsoft Updates use the Group Policy Management Console go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates and select Install updates for other Microsoft products.
Drivers are automatically enabled because they are beneficial to device systems. We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use the Group Policy Management Console to go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates and enable the policy.
We also recommend that you allow Microsoft product updates as discussed previously.
Set when devices receive feature and quality updatesI want to receive pre-release versions of the next feature update
I want to manage which released feature update my devices receive
A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you will not receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
Example
In this example, there are three rings for quality updates. The first ring ('pilot') has a deferral period of 0 days. The second ring ('fast') has a deferral of five days. The third ring ('slow') has a deferral of ten days.
When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
Five days later
The devices in the fast ring are offered the quality update the next time they scan for updates.
Ten days later
Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
What if a problem occurs with the update?
In this example, some problem is discovered during the deployment of the update to the 'pilot' ring.
At this point, the IT administrator can set a policy to pause the update. In this example, the admin selects the Pause quality updates check box.
Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the next quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again.
I want to stay on a specific version
If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the Select the target Feature Update version setting instead of using the Specify when Preview Builds and Feature Updates are received setting for feature update deferrals. When you use this policy, specify the version that you want your device(s) to use. If you don't update this before the device reaches end of service, the device will automatically be updated once it is 60 days past end of service for its edition.
When you set the target version policy, if you specify a feature update version that is older than your current version or set a value that isn't valid, the device will not receive any feature updates until the policy is updated. When you specify target version policy, feature update deferrals will not be in effect.
Manage how users experience updatesI want to manage when devices download, install, and restart after updates
We recommend that you allow to update automatically--this is the default behavior. If you don't set an automatic update policy, the device will attempt to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
For more granular control, you can set the maximum period of active hours the user can set with Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify active hours range for auto restart.
It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates are not disabled and provides a better experience when users can set their own active hours. If you do want to set active hours, use Computer Configuration > Administrative Templates > Windows Components > Windows Update > Turn off auto-restart for updates during active hours.
To update outside of the active hours, you don't need to set any additional settings: simply don't disable automatic restarts. For even more granular control, consider using automatic updates to schedule the install time, day, or week. To do this, use Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates and select Auto download and schedule the install. You can customize this setting to accommodate the time that you want the update to be installed for your devices.
When you set these policies, installation happens automatically at the specified time and the device will restart 15 minutes after installation is complete (unless it's interrupted by the user).
I want to keep devices secure and compliant with update deadlines
We recommend that you use Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline for automatic updates and restarts for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart.
This policies also offers an option to opt out of automatic restarts until a deadline is reached by presenting an 'engaged restart experience' until the deadline has actually expired. At that point the device will automatically schedule a restart regardles of active hours.
These notifications are what the user sees depending on the settings you choose:
When Specify deadlines for automatic updates and restarts is set (For Windows 10, version 1709 and later):
I want to manage the notifications a user sees
There are additional settings that affect the notifications.
We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications with these values:
0 (default) – Use the default Windows Update notifications1 – Turn off all notifications, excluding restart warnings2 – Turn off all notifications, including restart warnings
Note
Option 2 creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
Still more options are available in Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart restart warning notifications schedule for updates. This setting allows you to specify the period for auto-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update and to specify the period for auto-restart imminent warning notifications (15-60 minutes is the default). We recommend using the default notifications.
Updates For Other Microsoft Products MissingI want to manage the update settings a user can access
Every Windows device provides users with a variety of controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting Updates and Security in Settings. We provide the ability to disable a variety of these controls that are accessible to users.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to “Pause updates.When you disable this setting, users will see Some settings are managed by your organization and the update pause settings are greyed out.
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows Update features.
Related topics-->
Applies to: Configuration Manager (current branch)
Software updates metadata is retrieved during the synchronization process in Configuration Manager based on the settings that you specify in the Software Update Point component properties. After you synchronize software updates for the first time, or when new products and classifications are released, you must go to the properties to select the new items. Use the following procedure to configure classifications and products to synchronize.
Note
Use the procedure from this section only on the top-level site.
To configure classifications and products to synchronize
Configuring products for versions of Windows 10Windows 10, version 1909
Windows 10, version 1909 shares a common core operating system with Windows 10, version 1903. Both of these versions are serviced with the same cumulative updates. For more information about Windows 10, version 1909, see the Windows 10, version 1909 delivery options blog post.
To make sure both your Windows 10 version 1909 and Windows 10, version 1903 clients install updates from Configuration Manager:
![]() Feature Updates for Windows 10, version 1909
When you approve feature updates for Windows 10, version 1909, there are a few different options you'll see:
Note
Both the enablement package and the traditional feature update for Windows 10, version 1909 will show as 'Installed' in reporting, regardless of which path was used to install it.
Windows 10, version 1903 and later
Windows 10, version 1903 and later was added to Microsoft Update as its own product rather than being part of the Windows 10 product like earlier versions. This change caused you to do a number of manual steps to ensure that your clients see these updates. We've helped reduce the number of manual steps you have to take for the new product in Configuration Manager version 1906.
Windows 10, version 1903 and later with Configuration Manager version 1906
When you update to Configuration Manager version 1906 and have the Windows 10 product selected for synchronization, the following actions occur automatically:
Enable Updates For Other Microsoft ProductsWindows 10, version 1903 and later with Configuration Manager version 1902
If you are using Configuration Manager 1902 with Windows 10,version 1903 clients, you'll need to:
Windows Insider Program
Starting in September 2019, you can service and update devices running Windows Insider Preview builds with Configuration Manager. This change means you can manage these devices without changing your normal processes or enabling Windows Update for Business. You can download Feature Updates and Cumulative Updates for Windows Insider Preview builds into Configuration Manager just like any other Windows 10 update or upgrade. For more information, see the Publishing pre-release Windows 10 Feature Updates to WSUS blog post.
For more information about support for Windows Insider in Configuration Manager, see Support for Windows 10.
Prerequisites
Enable Windows Insider upgrades and updates
You need to enable the products and classifications for Windows Insider upgrades and updates. Feature Updates, Cumulative updates, and other updates for Windows Insider are under the Windows Insider Pre-Release product category.
Get Updates For Other Microsoft Products Missing Windows 10
Upgrading Windows Insider devices
Once the upgrades for Windows Insiders are synchronized, you can see them from Software Library > Windows 10 Servicing > All Windows 10 Updates.
Deploy Feature Updates for Windows Insider to your target collection just like any other upgrade. However, you'll want to keep the following items in mind when you're deploying these Feature Updates:
Give Me Updates For Other Microsoft Products
For more information on how to deploy upgrades, see Manage Windows as a service.
Keeping Insider devices up-to date![]()
Cumulative Updates for Windows Insider will be available for WSUS and by extension for Configuration Manager. These Cumulative Updates will be released at a frequency similar to Windows 10 version 1903 Cumulative Updates. The Windows Insider Cumulative updates are in the Windows Insider Pre-Release product category and classified as either Security Updates or Updates. You can deploy the Cumulative Updates for Windows Insider using your regular software update process like using automatic deployment rules or phased deployments.
Extended Security Updates and Configuration Manager
The Extended Security Updates (ESU) program is a last resort option for customers who need to run certain legacy Microsoft products past the end of support. It includes Critical and/or Important security updates (as defined by the Microsoft Security Response Center (MSRC)) for a maximum of three years after the product's End of Extended Support date.
Products that are beyond their support lifecycle aren't supported for use with Configuration Manager. This includes any products that are covered under the ESU program. For example, Windows 7. Security updates released under the ESU program will be published to Windows Server Update Services (WSUS). These updates will appear in the Configuration Manager console. While products that are covered under the ESU program are no longer supported for use with Configuration Manager, the latest released version of Configuration Manager current branch can be used to deploy and install Windows security updates released under the program. The latest released version can also be used to deploy Windows 10 to devices running Windows 7.
Client management features not related to Windows software update management or OS deployment will no longer be tested on the operating systems covered under the ESU program and we don't guarantee that they'll continue to function. It's highly recommended to upgrade or migrate to a current version of the operating systems as soon as possible to receive client management support.
Next steps
Start software updates synchronization to retrieve software updates based on the new criteria. For more information, see Synchronize software updates.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |