Type

  • Blog

Level

  • Overview

Category

  • Announcement

OS/Platform

  • Windows 10

Phase

  • Manage

Use-Case

  • Windows Delivery

Product Line Manager, R&D, VMware
Ryan serves as a Product Line Manager for the Windows platform. He recently joined VMware after having spent many years as a customer, integrating and leveraging VMware products to create new solutions and solve large-scale workforce technology challenges. While typically known as an Apple evangelist, Ryan now looks to refine and improve the Windows platform as customers begin adopting Windows 10 at scale.

Windows Updates: Deferral and Pause

June 09, 2020

Windows Update for Business adds many new capabilities, including the ability to defer and pause both feature and quality updates on devices. The ability to defer allows your organization additional time to validate that the latest updates from Microsoft won’t adversely affect critical applications or functionality within your business. The ability to pause allows your organization to prevent the continued rollout of updates, should you find an issue after the initial validations are completed. While both can be useful, it helps to understand how they function and what to expect when configuring them for use.

A screenshot of a cell phone</p>
<p>Description automatically generated

Deferral

Feature updates can be deferred from 0 - 365 days from the original availability date. Release information is published at Windows 10 release information and the availability date is from the day the value configured first begins. It’s important to note that if a version is revised, the revision date does not reset the deferral period. The other consideration is that a feature update always supersedes a quality update when both are available to a device. For example, if version 1909 is available to a 1903 device and any quality updates applicable to 1903 are also available, they will not be offered to the device. Here are two value examples:

Value set to 0 – Device will scan Microsoft Update at the configured scan frequency interval. If available, the Feature Update will be discovered and report into UEM as available on the device.

Value set to 180 – Device will scan Microsoft Update at the configured scan frequency interval. If available, the Feature Update will not be discovered and UEM will not report any availability until the deferral period has lapsed.

Feature updates are currently released twice a year during spring and fall. This means that the deferral value has the ability to overlap on multiple releases. The deferral value configured will be applied to every release, not just the first one affected by the policy. Here are two value examples:

Value set to 0, New version is released after 170 days – The original version will be available to the device immediately and report into UEM. On day 170, the new version will be available and report into UEM. Once the new version becomes available, the original will no longer be discoverable by the device and UEM will display the original as Replaced.

Value set to 180, New version is released after 170 days – On day 181, the original version will become available to the device and report into UEM. 180 days after day 170, the new version will become available to the device and report into UEM. Once the new version becomes available, the original will display in UEM as Replaced and devices will no longer be able to obtain the original.

Quality updates are released on a regular basis throughout each month and can be deferred from 0 - 30 days. Release information is published at Microsoft Update Catalog and is also displayed in UEM under device updates for each individual KB published. Quality updates function similarly to feature updates with a few key differences:

While a Feature Update is a single classification, Quality Updates have multiple classifications they can fall under. Many policies can apply to individual classifications, but a deferral policy only applies to the entire set of classifications. Individual classifications and/or patches (KB’s) can’t be deferred.

Updates classified as Critical in addition to Definition, Servicing Stack and Security have the ability to not adhere to deferral policy and can be discoverable at any time by a device.

Any updates included in a new monthly Cumulative Update or Feature Update will show as Replaced in UEM if previously discovered and Unknown if no discovery occurred prior to the new update becoming available.

Pause

Feature updates can be paused for 60 days and quality updates can be paused for 35 days. Both have a configurable start date and time. Unlike deferral, which can use any value, you can only enable or disable the pause policy. A pause policy lasts until 60 (feature) or 35 (quality) days is reached or until disabled, whichever comes sooner. When no pause policy is configured (disabled), updates will become discoverable by the device.

It’s important to note that when a pause policy is configured, it removes any updates already discovered by the device, allowing it to re-evaluate against Windows Update. This will result in UEM displaying the previously Available updates as Unknown until rediscovery.

Filter Tags

  • Overview
  • Announcement
  • Blog
  • Windows 10
  • Manage
  • Windows Delivery
June 09, 2020

Product Line Manager, R&D, VMware
Ryan serves as a Product Line Manager for the Windows platform. He recently joined VMware after having spent many years as a customer, integrating and leveraging VMware products to create new solutions and solve large-scale workforce technology challenges. While typically known as an Apple evangelist, Ryan now looks to refine and improve the Windows platform as customers begin adopting Windows 10 at scale.

Comments

jlankford@vmware.com
Seemingly this is being presented as a new feature. This has already been available in the profile. I don't see anything that has changed. Am I missing something? Additionally, when saying "Updates classified as Critical in addition to Definition, Servicing Stack and Security have the ability to not adhere to deferral policy and can be discoverable at any time by a device." does this mean there is an option to adhere or not adhere to the deferral policy? If so, how is that controlled?
By jlankford@vmware.com
June 10, 2020
Ryan Kremkau
This was intended to provide some additional context around how deferral and pause functionality works as we get many questions related to the policies, it was never intended to present as a new feature. The tagging looks correct but where is this showing as a new feature? There is no ability to control the adherence to policy for the update classifications described. This is controlled by Microsoft and is not something they inform on, other then broadly defining which items it's subject to. This is something we think many folks are also unaware of and why we are hoping to get more information like this out. Appreciate the questions and feedback!
By Ryan Kremkau
June 10, 2020