- Author: Phil Helmling
- Updated By: helmlingp@vmware.com
- Date updated: 8/16/2022
- Supported Platforms: Windows 10 Desktop 1803 and above
- Supported SKUs: Home, Pro, Enterprise, Education
- Tested on: Windows 10 1809 Enterprise and higher
These sample configuration files are to be used together, deploying one Quality Update (QU) Ring profile, one Feature Update (FU) Ring profile and one Delivery Optimization profile. Combined, these profiles control Windows 10/11 Update settings as referenced below with the following design principles
- Auto-Approved Updates
- Deferrals to control deployment and risk
- Delivery Optimization to control/improve download usage
- Rapid device compliance
- The best user experience
TargetReleaseVersion policy in the FU Ring policy should be used to keep your devices locked to a specific Feature Upgrade version. This means that you are no longer "approving" or "deferring" the feature upgrade. It simply will go to (or stay on) the value that is in the profile. ProductVersion in the FU Ring policy should be used to keep your devices locked to a specific OS Version. For example, locked to Windows 10 or forced upgrade to Windows 11.
The following settings should be reviewed and adjusted to deliver the required outcome for your environment, as well as your risk and compliance requirements. In general, all Quality Update Profiles are similar except for deferral period in days, and likewise for Feature Update Profiles. Only the settings that need review are noted here. The Windows 10/11 Update CSP Reference as noted below should be referenced for all settings.
- Update/AllowAutoUpdate - This automatically installs the update but prompts the user to restart when complete as per the deadline & grace period settings (required).
- Update/AllowMUUpdateService - Allows device to pull updates for Microsoft apps.
- Update/BranchReadinessLevel - Sets the branch to sem-annual channel (only change if using Insider Preview Channel for UAT/Test devices).
- Update/AutoRestartDeadlinePeriodInDays - Deadline in days before automatically executing a scheduled restart outside of active hours.
- Update/ConfigureDeadlineForQualityUpdates - Deadline to install quality updates once the device sees it. Before deadline is reached, device will attempt to install outside of active hours. Once deadline it reached it will install asap.
- Update/DeferQualityUpdatesPeriodInDays - How many days from Quality Update release before device sees it. This is how you build out your rings.
- Update/ConfigureDeadlineGracePeriod - How may days the user has to reboot the device. User can “Pick a Time”, “Restart Tonight” or “ Restart Now”.
- Update/ExcludeWUDriversInQualityUpdate - Exclude Drivers in the WU Catalog being offered for install.
- Update/SetDisablePauseUXAccess - Remove the ability for a user to Pause Updates in the UI.
- Update/UpdateNotificationLevel - Define what Windows Update notifications users see
- Update/ConfigureDeadlineForFeatureUpdates - Deadline to install the feature update once the device sees it. Before deadline is reached, device will attempt to install outside of active hours. Once deadline it reached it will install asap.
- Update/ConfigureDeadlineGracePeriodForFeatureUpdates - Specify a minimum number of days until restarts occur automatically for feature updates.
- Update/ConfigureFeatureUpdateUninstallPeriod - How long you can uninstall/rollback a feature upgrade after it is installed. This takes up disk space to best not to set this to too long. I've set it to 14 days in the example profiles.
- Update/DeferFeatureUpdatesPeriodInDays - How many days from Feature Update release before device sees it. This is how you build out your rings.
- Update/ProductVersion - Specifies which major Windows Desktop version (eg Windows 10) to move the device to or stay on until that major version reaches end of service.
- Update/TargetReleaseVersion - Specifies which minor Windows Desktop version (eg 21H1) to move the device to or stay on until that minor version reaches end of service.
- DeliveryOptimization/DODownloadMode - Set to Use Peers on Same Local Network. Used in conjunction with DOGroupId will provide secure Peer to Peer sharing of updates.
- DeliveryOptimization/DOGroupId - A GUID that specifies which devices to peer with. Can be any GUID generated in either Powershell or another GUID generator such as VMware Policy Builder. It does not have to be the AzureAD Tenant ID.
- DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth - set the hours of the day to limit background download of updates as well as the percentage of bandwidth utilised.
- DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth - set the hours of the day to limit foreground download of updates as well as the percentage of bandwidth utilised.
Installs or Uninstalls a Windows Update Quality Update KB, does not wait for WU Schedule. Helps with deploying Zero Day/Urgent Patches. Uses https://www.powershellgallery.com/packages/PSWindowsUpdate Module which is automatically installed
Hides or Unhides a Windows Update KB. WU will then install as per existing schedule. Helps with incompatible updates such as drivers and can be used instead of GUI tool: https://support.microsoft.com/en-us/windows/hide-windows-updates-or-driver-updates-5df410a1-90f7-b744-0682-43be9c8fa17c Uses https://www.powershellgallery.com/packages/PSWindowsUpdate Module which is automatically installed
- At the top of UEM console, click Add > Profile. Select Windows > Windows Desktop > Device Profile.
- Fill out the General tab as appropriate. I recommend setting the profile to "optional" while you test. Assign a Smart Group as well.
- On the left side of the window at the bottom click on Custom Settings and then Configure.
- Click on the sample XML file and then click "raw". Copy and paste into the "Install Settings" section of the UEM profile.
- Optionally configure the "Remove Settings".
- Click Save and Publish
- Go to device details > Profile tab. Find the profile and install it on the device.
- It should show green as successfully installed. You can check on the device to see the values applied by going to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update
- Merged SharedSettings into each Quality and Feature Update Ring profile to provide flexibility of deployment.
- Added recommended settings for Quality Update and Feature Update profiles.
- Added recommended settings for Delivery Optimization profile & example for second location.
- Added Pause Quality Updates and Pause Feature Updates profiles