Configure Windows 10 Updates
Keeping computers safe and protected from external threats such as malware and hackers is a big challenge. In earlier versions of Windows, you could decide whether the operating system is automatically updated with the latest features, security updates, and fixes through the Windows Update feature. Many users chose to disable automatic updates, and these computers were then vulnerable. With over a billion Windows devices worldwide, even if this number was a small percentage of the total, it could mean millions of users were unprotected.
Windows 10 is the latest version of Windows, and it will continually benefit from new feature upgrades rolled out through Windows Update. To enhance the security protection delivered in Windows 10, the consumer can no longer turn off security updates or upgrades. Enterprise users can still choose to test updates and deliver them internally, using Windows Server Update Service (WSUS) or other management tools to keep their devices updated. For organizations that require deployment of a static installation of Windows 10 that will not have upgrades, Microsoft ships a special build of Windows 10.
Windows Update options
With Windows as a service, Windows 10 will receive security updates as they are required in addition to a regular schedule of rollup updates and feature upgrades. The process of continually bringing your computer up to date is known as servicing. It is expected that new features will appear two to three times a year. During the year, several milestone builds will be available to volume licensing, system builders, and MSDN customers; such milestone builds will include all updates and upgrades built in and serve as the latest start point for a new installation or upgrade.
It is important to distinguish the different types of Windows 10 updates.
- Servicing updates Regular security updates and software updates.
- Feature upgrades New features and functionality.
Both types will be cumulative and contain all previous updates, which reduces the likelihood of a hacker or malware attack through a missing update.
Feature upgrades are mandatory and must be applied within one year for the following versions of Windows 10.
- Windows 10 Home
- Windows 10 Pro
- Windows 10 Enterprise
- Windows 10 Education
Upgrades are delivered to devices running Windows 10 Home when Microsoft releases them. When downloaded to the device, the upgrades are installed immediately.
Enterprise editions of Windows 10 (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) are configured for immediate installation of feature upgrades by default, but you can configure the device to defer the installation in the Settings app. Typically, this defers the upgrades four to six months after they are provided to consumer devices. Through Group Policy, you can defer upgrades for up to one year.
A new special build of Windows 10, available only to enterprise customers, called the Long Term Servicing Branch (LTSB), will be available and won't force feature upgrades.
Windows Update settings
As with earlier versions of Windows, security updates will continue to be distributed on the second Tuesday of each month by Windows Update, and additional reliability improvements, hardware driver updates, and ad hoc security updates will be pushed out through Windows Update.
New Windows features will be delivered in update packages that behave just like complete in-place upgrades. This might alarm some users, especially those who never allowed updates on earlier versions of Windows. You can choose how updates are applied to your computers. This can be through the Settings app or by Group Policy.
To configure Windows Update settings on a computer, follow these steps.
- Click the Start button and open Settings.
- Click Update & Security, Windows Update. The Windows Update page opens.
- Review the date and time Windows last checked for updates.
- Click Check For Updates.
- To configure and control Windows Update in more detail, click Advanced Options.
The Choose How Updates Are Installed dialog box opens.
On the Advanced Options page, choose one of the following options to configure how updates are installed.
- Automatic (Recommended):
Windows 10 downloads and applies updates and, if necessary, your computer restarts automatically when it is not in use.
- Notify To Schedule Restart:
Windows 10 downloads and applies updates and, if it needs to restart, you can schedule a restart time to apply the updates.
The check boxes enable you configure the following options.
- Give Me Updates For Other Microsoft Products When Update Windows:
This enables Windows Update to keep other Microsoft products, such as Microsoft Office, up to date at the same time as Windows 10.
- Defer Upgrades:
Enterprise editions of Windows 10 (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) enable you to defer upgrades to your computer. Windows 10 does not download or install new Windows 10 features immediately when they are available; they can be delayed for several months.
Deferring upgrades will not defer security updates.
The following two options offer additional update information.
- View Your Update History
- Choose How Updates Are Delivered
View Your Update History
The View Your Update History page shows you the updates that have been applied and those that failed to be applied. Each update contains a unique name and reference number and a summary of the effect the update will have on the system. A detailed description of each update is available online by clicking More Info in each update.
You can also select Uninstall Updates, which opens Installed Updates in Control Panel. You remove any update by selecting it and clicking Uninstall on the menu bar.
If you have installed the preview build of Windows 10 on your device, you can also uninstall this by clicking Uninstall Latest Preview Build. This option opens the Recovery page in the Update And Security Settings app and enables you to reset your PC.
Choose How Updates Are Delivered
Windows 10 includes a new feature that enables you to choose how updates are delivered and enables Windows Update to obtain updates through peer-to-peer file sharing.
To review and configure this option, use the following steps.
- Click the Start button and open Settings.
- Click Update & Security, Windows Update.
- On the Windows Update page, click Advanced Options.
- Select the Choose How Updates Are Delivered link.
The Choose How Updates Are Delivered dialog box, is where you can configure how updates are delivered.
- Move the toggle to On.
- Configure the additional peer-to-peer sources as either:
- PCs On My Local Network (Default).
- PCs On My Local Network, And PCs On The Internet.
- Exit the Settings app.
After you choose to receive updates from more than one place, Windows obtains updates from Microsoft and from computers on the local network and, optionally, from PCs on the Internet. By allowing Windows to obtain the update files from additional sources, the settings can be applied more quickly. This can be especially useful when using a reduced bandwidth or metered connection because after one device has been updated, it can share the update file fragments peer-to-peer with other devices locally without needing to download them from Microsoft.
If you disable the Updates From More Than One Place setting, Windows Update obtains updates directly from the Microsoft update servers.
Use Group Policy to configure Windows Update
You can use Group Policy to configure the new Windows Update settings and then use Active Directory Domain Services (AD DS) to distribute the settings to the devices across the network.
Although there are many Group Policy Objects (GPOs) that relate to Windows Update for earlier versions of Windows, three nodes in Group Policy contain Windows Update settings for Windows 10. They are found in the Computer Configuration/Administrative Templates/Windows Components/ area with the following node names.
- Windows Update
- Data Collection And Preview Builds
- Delivery Optimization
The Windows Update node contains several settings, including:
- Configure Automatic Updates:
Specifies whether the computer will receive security updates and other important downloads through the Windows automatic updating service. This setting enables you to specify whether to enable automatic updates on your computer. If this service is enabled, you must select one of the four options in the Group Policy setting.
- 2 = Notify before downloading and installing any updates
When Windows finds updates that apply to your computer, you are notified in the notification area by an icon, with a message that updates are ready for download. When they are downloaded, the icon appears again to notify you that the updates are ready for installation. If you click the notification, you can then select which updates to install.
- 3 = Automatically download and notify for install
When Windows finds updates that apply to your computer, it automatically downloads them in the background. When the download is complete, a notification area icon appears, advising that the updates are ready for installation. Click the icon or notification to select which updates should be installed.
- 4 = Automatically download and install them on the schedule specified below
Specify the install schedule by using the options in the Group Policy setting. If you do not specify a schedule, all installations will be every day at 3:00 A.M. If updates require a restart to complete the installation, Windows restarts the computer automatically. If a user is signed in to the computer when Windows is ready to restart, it notifies the user and offers an option to delay the restart.
- 5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates
With this option, local administrators can use the Windows Update Control Panel to select a configuration option, such as to choose the scheduled installation time. Local administrators cannot disable Automatic Updates configuration. If you set a GPO to Enabled, Windows searches Windows Update for updates that apply to your computer whenever the computer is online. With the status set to Disabled, all updates must be manually triggered for download and installation. If the status is Not Configured, the Group Policy is not used to configure Automatic Updates, and the computer uses the Automatic Updates in Control Panel or the Settings app.
- Defer Upgrades And Updates
This policy enables you to defer upgrades for up to eight months and delay updates for up to four weeks. The policy is not configured by default. If you do not delay updates, your PC installs security updates as they become available. An option to Pause Upgrades And Updates is available if an issue arises with an update or upgrade. This setting delays updates and upgrades until the next monthly update or upgrade becomes available. This setting will not affect Windows Defender antimalware definition updates.
Data collection and preview builds
The Data Collection And Preview Builds node contains four settings.
- Toggle User Control Over Insider Builds
This policy setting determines whether users can access the Insider build controls in Advanced Options for Windows Update. If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, Get Insider Builds will not be available.
- Allow Telemetry
This policy setting determines the amount of diagnostic and usage data related to Microsoft software that is reported to Microsoft. The policy offers four choices.
- Security: No telemetry data is reported to Microsoft except security data such as Windows Defender data.
- Basic: Reports a limited amount of diagnostic and usage data.
- Enhanced: Sends enhanced diagnostic and usage data.
- Full: Sends the same data as the Basic setting plus additional diagnostics data, such as the system state at the time of a system halt or crash, and the files and content that might have caused the problem.
- Disable Pre-release Features Or Settings
Use this policy setting to configure the level to which Microsoft can experiment with Windows 10 to study your preferences or device behavior. There are two settings.
- Device Setting Only Permits Microsoft to configure device settings only
- Full Experimentations Enables Microsoft to conduct full experimentations and study user preferences
- Do Not Show Feedback Notifications
- This policy setting enables an organization to prevent its devices from showing feedback questions from Microsoft through the Windows Feedback app.
The Delivery Optimization node contains the following five settings.
- Download Mode
Use this setting to configure the use of Windows Update Delivery Optimization in downloads of Windows apps and updates. These settings offer slightly more granularity in the Settings app, allowing the device to receive updates from more than one place. There are four options, as follows.
- None: Disable the feature
- Group: Peers on same NAT only
- LAN: Local Network/Private Peering (PCs in the same domain by default)
- Internet: Internet Peering only
- Group ID
Set this policy to specify an arbitrary group ID to which the device belongs by using a globally unique identifier (GUID) as the group ID. This segments the devices when using the Group option in the Download Mode setting.
- Max Cache Age
Use this to define the maximum time the Delivery Optimization cache can hold each file.
- Max Cache Size
This option limits the maximum cache size Delivery Optimization can use as a percentage of the internal disk size.
- Max Upload Bandwidth
This policy defines a limit for the upload bandwidth that a device uses for all concurrent upload activity by Delivery Optimization (kilobytes per second).
Review the new GPOs that relate to the new Windows Update functionality found in Windows 10.
Troubleshoot Windows Update
If a machine is not receiving updates and you have checked the Settings app and Group Policy settings, verify that the two services in Windows relating to Windows Update are running.
The first is the Windows Update service, which checks which updates have been installed locally and what is available on the update servers. The Windows Update service also handles the download, installation, and reporting of the state of updates.
Background Intelligent Transfer Service (BITS) is a supplemental service that handles the transfer of update files in the most efficient manner.
Both services need to be running for Windows Update to function correctly.