Configure Windows Update for business rings, delivery optimization, and compliance
Windows Update for Business Rings
| Settings | Test | Pilot | Fast | Broad | Critical Devices | Comments |
|---|---|---|---|---|---|---|
| Policy name | Test Ring – Install updates immediately | Pilot Ring – Install updates after 2 days | Fast Ring – Install updates after 4 days | Broad Ring – Install updates after 7 days | Critical Ring – Install updates after 10 days. | |
| Microsoft product updates | Allow | Allow | Allow | Allow | Allow | Include updates for other Microsoft products from Windows Update. |
| Windows drivers | Allow | Allow | Allow | Allow | Allow | Include drivers from Windows Update. |
| Quality update deferral period (days) | 0 | 2 | 4 | 7 | 10 | Quality updates is deferred by the specified number of days after they're released. |
| Feature update deferral period (days) | 0 | 10 | 30 | 60 | 90 | Feature updates is deferred by the specified number of days after they're released. |
| Set feature update uninstall period | 30 | 30 | 30 | 30 | 30 | After this period expires, the previous update binaries are removed from the device, and the user can no longer revert to the previous version of Windows. |
| User Experience | ||||||
| Automatic update behavior | Auto install at reboot without end-user control | Auto install at maintenance time, outside of active hours | Auto install at maintenance time, outside of active hours | Auto install at maintenance time, outside of active hours | Auto install at maintenance time, outside of active hours | Active hours are configured to be between 8:00AM to 5:00PM by default. The maintenance time is outside of these hours. |
| Restart checks | Skip | Allow | Allow | Allow | Allow | Update processes (scan, download, install, and reboot) doesn't occur during scheduled Active Hours if this setting is enabled. |
| Option to pause Windows updates | Disable | Disable | Disable | Disable | Disable | Controls if the user is able to pause the installation of updates. |
| Option to check for Windows updates | Enable | Enable | Enable | Enable | Enable | Allow users to manually initiate a Windows Update scan to find, download, and install updates. |
| Change Update notification level | Use the default Windows Update notifications | Use the default Windows Update notifications | Use the default Windows Update notifications | Use the default Windows Update notifications | Use the default Windows Update notifications | |
| Use deadline settings | Allow | Allow | Allow | Allow | Allow | |
| Deadline for feature updates | 0 | 2 | 2 | 2 | 2 | Specifies the number of days before feature updates are installed on a device automatically. |
| Deadline for quality updates (days) | 0 | 2 | 2 | 2 | 2 | Specifies the number of days before quality updates are installed on a device automatically. |
| Grace period (days) | 0 | 2 | 2 | 2 | 2 | Specifies the number of days before a device automatically reboots after installing updates. |
| Auto reboot before deadline | Yes | Yes | Yes | Yes | No | When configured, the device attempts to restart outside of the defined active hours before the configured deadline to install updates. |
Delivery Optimization
| Settings | Configuration | Comments |
|---|---|---|
| Policy name | Production – Win10 – Delivery Optimization | |
| Download mode | HTTP blended with peering behind same NAT (1) | Specifies the Download method that Delivery optimization can use to manage network bandwidth consumption. |
| Bandwidth | ||
| Bandwidth optimization type | Not Configured | |
| Delay background HTTP download (in seconds) | 60 | The setting delays the HTTP download from Microsoft Update to prioritize the peer download. |
| Delay foreground HTTP download (in seconds) | 60 | The setting delays the HTTP download from Microsoft Update to prioritize the peer download. |
| Caching | ||
| Minimum RAM required for peer caching (in GB) | 4 | |
| Minimum disk size required for peer caching (in GB) | 32 | |
| Minimum content file size for peer caching (in MB) | 10 | |
| Minimum battery level required to upload (in %) | 60 | Minimum battery percentage required to allow Delivery Optimization to upload data to peers. |
| Modify cache drive | NA | |
| Maximum cache age (in days) | 7 | Specifies the maximum retention period of each content in the Delivery optimization cache. |
| Maximum cache size type | Not configured | |
| VPN peer caching | Disabled | Configures the device to participate in peer caching when connected over a VPN network. |
| Local Server Caching | ||
| Cache server fully qualified domain names (FQDN) or IP addresses | Optional. Host name of the server hosting the Delivery Optimization Cache Role | Delivery Optimization reference - Windows Deployment | Microsoft Docs. |
| Delay foreground download Cache Server fallback (in seconds) | 60 | The settings delays the fallback from Cache server to HTTP source for foreground content. |
| Delay background download Cache Server fallback (in seconds) | 60 | The settings delays the fallback from Cache server to HTTP source for background content. |
Update Compliance
| Settings | Configuration |
|---|---|
| Policy name | Windows Update Compliance |
| Administrative Templates | Windows Components > Data Collection and Preview Builds |
| Configure the Commercial ID | Enabled |
| CommercialID | {Enter your organizations commercial ID here} |
| System | |
| Allow Commercial Data Pipeline | Enabled |
| Allow device name to be sent in Windows diagnostic data | Allowed |
| Allow Telemetry | Basic |
| Allow Update Compliance Processing | Enabled |
| Configure Telemetry Opt In Change Notification | Enabled |
| Configure Telemetry Opt In Settings UX | Disable Telemetry opt-in Settings |
Windows Update Compliance policy
| Settings | Configuration |
|---|---|
| Policy name | Windows Update Operating System |
| Device Properties | |
| Minimum OS version | 10.0.17134.1 (example value) |
| Maximum OS version | Null |
| Minimum OS version for mobile devices | Null |
| Maximum OS version for mobile devise | Null |
| Valid Operating System Builds | {Empty} |
| Actions for noncompliance | |
| Mark Device noncompliant | Immediately |
| Send email to end-user | 0 |