Windows Update for Business lets IT admins defer damaging patches

New group policy controls for Windows 10 give companies a way to postpone updates for up to four weeks

Windows security patches

Microsoft last week gave businesses a way to delay potentially disruptive or even damaging Windows 10 security patches and bug fixes for up to four weeks.

New options for controlling the timing of Windows 10 upgrades and updates arrived as part of Windows 10 version 1511, the upgrade that began rolling out Thursday.

The settings are available to businesses and organizations running Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education, and managing those PCs with the Windows Update for Business (WUB) service that the Redmond, Wash. firm introduced in May.

As part of 1511, Microsoft enabled group policy settings that tell WUB when to deliver both upgrades and updates to Windows 10 PCs. In Microsoft's lexicon, an upgrade is a collection of feature and functionality improvements; they will appear two to three times each year as Microsoft evolves the operating system. Updates, meanwhile, are much less substantial and far more frequent: The security vulnerability fixes that appear each month on Patch Tuesday are classified as updates.

"Windows Update for Business provides IT controls over the deployment of updates within their organizations, while ensuring their devices are kept current and their security needs are met, at reduced management cost," said Terry Myerson, the executive who leads Microsoft's operating system and device division, in a blog post Nov. 12.

Myerson continues to refer to all upgrades and updates as "updates."

Windows Update for Business, an offshoot of Windows Update, the consumer-grade service that has been central to Windows' 20-year-old patching model, has been pitched as a way for companies to manage the perpetual refreshes of Windows 10. WUB is primarily designed to cope with the "Current Branch for Business" (CBB), the upgrade track Microsoft wants to see most corporate Windows 10 devices adopt.

Most consumers are on the faster "Current Branch," an upgrade track that cannot be managed, or its upgrades and updates deferred. They arrive as Microsoft releases them, then automatically install, with no way for consumers to regulate the tempo, or decline an upgrade or update.

group policy wub

Administrators can now set group policies to control the timing of Windows 10's upgrades and updates, including delaying security and non-security updates for as long as four weeks.

With WUB's new support for group policies, company IT administrators can defer updates to their firm's PCs for up to four weeks, using one-week increments. If an enterprise wanted to prevent Windows 10's security and non-security updates from reaching its Windows 10 PCs for two weeks after their release, its IT staff would enter "2" in the "Defer updates for the following duration (weeks)" field of the group policy "Defer Upgrades and Updates."

Companies can use the one-to-four-week deferrals to block updates from arriving before IT has tested them, or before bugs that may surface after release have been subsequently patched by Microsoft in a re-release.

The delay-updates option, however, is all or nothing: WUB cannot be used to selectively defer some updates but not others. Once a postponement is pushed to PCs using group policies, it affects all updates.

Administrators could, of course, trigger a temporary delay by enabling it to subsets of PCs, or the entire company's collection, then switch it off later, perhaps after a problematic update had been re-patched. But that could get tiresome.

Enterprises have been skeptical about Microsoft's Windows 10 maintenance model for a host of reasons, but one concern has been that WUB might not offer a mechanism to keep buggy updates from reaching machines. IT administrators wondered how they would be able to delay updates that others reported as botched jobs which broke other applications, including those that they had created in-house.

The concern boiled down to one about Microsoft's ability to craft quality updates, a well-founded worry because of a long string of security or bug fixes that have crippled devices or caused other applications to crash. One of November 12's security updates for Windows 7, for example, resulted in crashes of Microsoft's Outlook email client, requiring Microsoft to reissue the update several days later.

Enterprises can postpone Windows 10 updates or even ignore them entirely using other tools, like Windows Server Update Services (WSUS) or System Center Configuration Manager, which they've run for years. But until Windows 10 1511 and its support for group policies, there was no word on whether even some basic flexibility would be included in WUB.

"Both upgrades and updates can be deferred from deployment to client machines by a Windows Update for Business administrator within a bounded rage of time from when those updates are first made available on the Windows Update service," Microsoft said in WUB documentation it published last week. "This deferral capability allows administrators to validate deployments as they are pushed to all their Windows Update for Business enrolled clients."

The same delays are unavailable to consumers running Windows 10 Home, or to individuals running Windows 10 Pro, which does not offer a way to defer updates from the Settings section of the OS even if the user has manually switched to the CBB track and postponed upgrades. Small businesses that do not manage their PCs using group policies also cannot block updates for the four-week stretch.

Windows 10 1511's support for WUB and group policies does not affect another concern of IT, that the operating system's updates are rolled out as cumulative packages. Windows 10's Nov. 10 cumulative update, for instance, contained six different security updates.

It's impossible to untangle the cumulative updates no matter what patch system one uses, including WUB. Even businesses that rely on the more granular WSUS have only an either-or option: block a specific cumulative update, and thus receive nothing embedded in it, or approve the update and take everything, including past fixes that may have broken Windows or third-party application compatibility.

Copyright © 2015 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon