locked
WSUS updates and Windows Update for Business deferral policy RRS feed

  • Question

  • Hello,

    my WSUS server received the list of Windows 10 1903 feature updates last night.

    I did not clearly understand how and if WSUS deploys updates (feature or quality ones) when Windows Update for Business (WUFB) is enabled on clients as well. I defined a GPO for my client workstations which set the followings:

    - Select when Preview Builds and Feature Updates are received :: ENABLED --> Semi-Annual Channel --> 180 days of deferral period.

    - Select when Quality Updates are received :: ENABLED --> defer for 14 days.

    I recently read about the dual scan behaviour of Windows Update and for the reason I enabled in the above GPO the Do not allow update deferral policies to cause scans against Windows Update. So I expect that all updates are not downloaded by Windows Update servers but from WSUS (right?).

    Now my question is: if I approve the 1903 feature updates in WSUS, they are immediately sent to clients for installation or they follow the deferral policies of Windows Update for Business? So, in other words, does WSUS (or WUFB) have priority on the other?

    Thank you.

    Riccardo

    Wednesday, May 22, 2019 9:18 PM

All replies

  • Now my question is: if I approve the 1903 feature updates in WSUS, they are immediately sent to clients for installation or they follow the deferral policies of Windows Update for Business? So, in other words, does WSUS (or WUFB) have priority on the other?


    https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/

    Note that WSUS still ignores all deferral policies that have been configured,......


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, May 22, 2019 9:39 PM
  • WuFB is basically giving you control about how much delay/deferral you want before 'Quality Updates' or 'Feature Updates' are installed.

    WuFB wasn't intended to be used with WSUS at all, that's why, when WuFB was released, it was poorly understood by WSUS admins, and dual-scan became such a big problem.

    If you are using WSUS, there's no need for you to use WuFB at all. You can achieve control usign WSUS by *not approving* updates until you are ready.
    WuFB doesn't give you anything over that (except maybe extra confusion)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, May 22, 2019 9:42 PM
  • WuFB is basically giving you control about how much delay/deferral you want before 'Quality Updates' or 'Feature Updates' are installed.

    WuFB wasn't intended to be used with WSUS at all, that's why, when WuFB was released, it was poorly understood by WSUS admins, and dual-scan became such a big problem.

    If you are using WSUS, there's no need for you to use WuFB at all. You can achieve control usign WSUS by *not approving* updates until you are ready.
    WuFB doesn't give you anything over that (except maybe extra confusion)


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    Hello Don and thanks for your reply. I had already read that post you linked above before I started this thread, but it is quite controversial, as far as I understand.


    For instance, the following made many doubts in my mind (text from Technet Blog):

    In order for Dual Scan to be enabled, the Windows Update client now also requires that the "Do not allow update deferral policies to cause scans against Windows Update" is not configured. In other words, if this policy is enabled, then changing the deferral policies in a WSUS environment will not cause Dual-Scan behavior. This allows enterprise administrators to mark their machines as "Current Branch for Business," and to specify that feature updates should not be delivered before a certain amount of days, without worrying that their clients will start scanning Windows update unbidden. This means that usage of deferral policies is now supported in the on-premises environment...

    In particular, text in bold above is much confusing, it even speaks about the ability to delivery feature updates not before a certain amount of days. I am not a 100% WSUS expert, so I read many posts, even from Microsoft itself, but I often find most of them a little bit confusing.

    Thank you.


    • Edited by R99photo Thursday, May 23, 2019 8:09 AM
    Thursday, May 23, 2019 8:00 AM
  • So first.... You have dual scan going on.

    https://www.ajtek.ca/wsus/dual-scan-making-sense-of-why-so-many-admins-have-issues/

    Second, you don't want to mix WUfB and WSUS together.

    https://www.ajtek.ca/wsus/windows-update-for-business-why-should-i-choose-it/

    WUfB is the Modern management technique whereas WSUS is the classic way. It's like AD vs AAD (classic vs Modern).


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Saturday, May 25, 2019 4:14 AM