Windows Updates: Deferral and Pause
Windows Update for Business adds many new capabilities, including the ability to defer and pause both feature and quality updates on devices. The ability to defer allows your organization additional time to validate that the latest updates from Microsoft won’t adversely affect critical applications or functionality within your business. The ability to pause allows your organization to prevent the continued rollout of updates, should you find an issue after the initial validations are completed. While both can be useful, it helps to understand how they function and what to expect when configuring them for use.
Feature updates can be deferred from 0 - 365 days from the original availability date. Release information is published at Windows 10 release information and the availability date is from the day the value configured first begins. It’s important to note that if a version is revised, the revision date does not reset the deferral period. The other consideration is that a feature update always supersedes a quality update when both are available to a device. For example, if version 1909 is available to a 1903 device and any quality updates applicable to 1903 are also available, they will not be offered to the device. Here are two value examples:
Value set to 0 – Device will scan Microsoft Update at the configured scan frequency interval. If available, the Feature Update will be discovered and report into UEM as available on the device.
Value set to 180 – Device will scan Microsoft Update at the configured scan frequency interval. If available, the Feature Update will not be discovered and UEM will not report any availability until the deferral period has lapsed.
Feature updates are currently released twice a year during spring and fall. This means that the deferral value has the ability to overlap on multiple releases. The deferral value configured will be applied to every release, not just the first one affected by the policy. Here are two value examples:
Value set to 0, New version is released after 170 days – The original version will be available to the device immediately and report into UEM. On day 170, the new version will be available and report into UEM. Once the new version becomes available, the original will no longer be discoverable by the device and UEM will display the original as Replaced.
Value set to 180, New version is released after 170 days – On day 181, the original version will become available to the device and report into UEM. 180 days after day 170, the new version will become available to the device and report into UEM. Once the new version becomes available, the original will display in UEM as Replaced and devices will no longer be able to obtain the original.
Quality updates are released on a regular basis throughout each month and can be deferred from 0 - 30 days. Release information is published at Microsoft Update Catalog and is also displayed in UEM under device updates for each individual KB published. Quality updates function similarly to feature updates with a few key differences:
While a Feature Update is a single classification, Quality Updates have multiple classifications they can fall under. Many policies can apply to individual classifications, but a deferral policy only applies to the entire set of classifications. Individual classifications and/or patches (KB’s) can’t be deferred.
Updates classified as Critical in addition to Definition, Servicing Stack and Security have the ability to not adhere to deferral policy and can be discoverable at any time by a device.
Any updates included in a new monthly Cumulative Update or Feature Update will show as Replaced in UEM if previously discovered and Unknown if no discovery occurred prior to the new update becoming available.
Feature updates can be paused for 60 days and quality updates can be paused for 35 days. Both have a configurable start date and time. Unlike deferral, which can use any value, you can only activate or deactivate the pause policy. A pause policy lasts until 60 (feature) or 35 (quality) days is reached or until deactivated, whichever comes sooner. When no pause policy is configured (deactivated), updates will become discoverable by the device.
It’s important to note that when a pause policy is configured, it removes any updates already discovered by the device, allowing it to re-evaluate against Windows Update. This will result in UEM displaying the previously Available updates as Unknown until rediscovery.