Category filter

Manage Windows Update Preferences and Settings from Hexnode UEM

The Windows Update Preferences policy allows administrators to manage and configure Windows Updates, ensuring efficient handling of OS updates and maintaining performance across all devices. This feature consists of various options that help to set the network constraints for updates, the capability to defer updates, the option to specify targeted products and versions, and the option to configure the update channel. The configurations for the major updates from Microsoft, that includes Feature Updates and Quality Updates, can be setup using this feature. While Feature Updates introduce new features, visual changes, and security enhancements to devices, Quality Updates are minor and do not include new features. Instead, Quality Updates focus on addressing bugs, and errors, and improving reliability and security. With Hexnode UEM’s Windows Update Preferences policy, administrators can configure preferences for managing Windows Updates on devices.

Note:

  • This feature is available on Hexnode UEM’s Ultra subscription plan.
  • The policy is supported on Windows 10/11 Business, Enterprise, and Education editions.

Configure Windows Update Preferences

  1. Log in to your Hexnode UEM portal. Navigate to the Policies tab. Click on New Policy to create a new one. Enter the Policy Name and Description in the provided fields. Or click on any policy to edit an existing one.
  2. Navigate to Windows. Select Windows Update Preferences under Patches & Updates.
  3. Click on Configure.
  4. Configure Windows Update Preferences settings.

Windows Update Preferences

Update drivers

Check this option to include updates that have a driver classification along with the Windows Quality Updates. By default, this option is enabled. If not enabled, Windows Updates will not include updates that have a driver classification.

Optional Updates

Optional updates are part of regular device maintenance, including non-security updates, features, or improvements that do not affect the functionality or security of a device. Admins can choose to install these updates based on their preferences. The default setting for this option is “Disabled” if it is not configured.

Settings Description
Disabled (default) The device will not receive any Optional Updates.
Automatically receive Optional Updates The device will only get optional cumulative updates automatically, in line with the quality update deferrals.
Automatically receive Optional Updates (including CFRs) The device will get the latest Optional Updates automatically in line with the configured quality update deferrals. This includes optional cumulative updates and gradual feature rollouts (CFRs).
Users can select which Optional Updates to receive Users can select which Optional Updates to get by navigating to Settings > Windows Update > Advanced options > Optional Updates on the device.

Download updates over metered network

Allows users to decide how updates are downloaded when the device is connected to a metered network (cellular data). The default setting for this option is “Disallowed” if it is not configured.

Settings Description
Allowed Allows the download of updates over metered networks.
Disallowed (default) Prevents the download of updates over metered networks.

Ignore download limits for app updates

This option specifies whether to ignore the download limit (allow unlimited downloading) over a cellular network for apps and their updates. These download limits are controlled by external policies imposed by mobile operators. The default setting for this option is “Don’t Ignore” if it is not configured.

Settings Description
Ignore Imposes no download limits for apps and their updates over the cellular network.

Note:


Selecting the “Ignore” option might result in devices incurring costs from mobile operators.

Don’t Ignore (default) Restricts users from downloading apps and their updates over cellular data.

Ignore download limits for OS updates

This option specifies whether to ignore the download limit (allow unlimited downloading) over a cellular network for Windows OS updates. These download limits are controlled by external policies imposed by mobile operators. The default setting for this option is “Don’t Ignore” if it is not configured.

Settings Description
Ignore Imposes no download limits for OS updates over the cellular network.

Note:


Selecting the “Ignore” option might result in devices incurring costs from mobile operators.

Don’t Ignore (default) Restricts users from downloading OS updates over cellular data.

Automatic wake up for maintenance

Automatic Maintenance is a feature that performs various background maintenance tasks to keep the system running smoothly. These maintenance tasks are designed to run when the device is not in use. By default, this option is enabled.
Check this option to activate the automatic maintenance wake-up feature. This will send a wake request to the OS daily for the scheduled maintenance.
Unchecking this option will apply the settings configured in the Security and Maintenance or Automatic Maintenance under the Control Panel on the device end.

Disable WUfB Safeguards

WUfB Safeguard prevents the release of a new OS version to a device that has a known compatibility issue. The update will only be provided once the issue is fixed and verified on the device. Safeguards aim to protect the device and user from a failed or poor update experience. By default, the WUfB option is enabled.

Note:


Disabling safeguards doesn’t ensure that your device will update successfully. The update might still fail, leading to a negative experience after the upgrade. This is because you’re bypassing the protection provided by Microsoft regarding the known issues.

Target product

Let the administrators choose which product they want their devices to switch to or remain on until the product reaches the end of service. Enter the product name as listed on the Windows Update target version page.
Admin can choose either of the options from Windows 10, Windows 11, or the “Other” option. If the “Other” option is selected, then specify a valid product name. For example, specify the name as 11 or Windows 11. The device will request the specified Windows Update product in subsequent scans. If no product is specified, the device will continue receiving newer versions of the Windows product it is currently on.

Note:


If you enter an invalid value, it remains on the current product until you correct the value to a supported product.

Target version

Let the administrators choose which product version they want their devices to switch to or remain on until the specified version reaches the end of service. Enter the product version as listed on the Windows Update target version page. The device will request the specified Windows Update product version in subsequent scans. If no product version is specified, the device will continue receiving newer versions of the Windows product it is currently on.

Note:

  • If you enter an invalid value, it remains on the current version until you correct the value to a supported version.
  • The value should be a string containing the Windows version number. For example, 22H2.

Feature update uninstall period

Use this option to configure a time (in days) after which Feature Updates can’t be uninstalled. After this period, the device can no longer roll back to the previous updated version. The value can be chosen between 2-60 days (by default, it is set to 10 days).

Pre-release builds

Select this option to configure how the pre-release build is distributed. Windows Update won’t offer any pre-release updates if this option is not configured; instead, such content will be received once it is released to the public.

Settings Description
Disabled The device will not get any pre-release builds.
Disabled once the next release is public Prevent the pre-release builds from installing once the next release is public.
Enabled The device will get pre-release builds.
Users can choose (default) The users have the flexibility to decide whether they want to participate in the Windows Insider Program and they can choose pre-release builds.

Update channel

Select this option to configure which update channel a device receives its updates from. By default, this is set to the “Semi-annual” option and the admin can choose either of the options from the following:

    • Canary
    • Warning:


      Choosing the Canary Update Channel might cause the policy to fail on certain Windows versions.

    • Windows Insider – Fast
    • Windows Insider – Slow
    • Windows Insider – Release Preview
    • Semi- annual (default)
    • Release Preview – Quality Updates only
Note:


Changing this setting will cause the device to reboot.

Update Deferral

This option lets the admin choose how many days to defer an update once it is released. During the deferral period, the device will not receive the updates following their release from Microsoft.

Defer Quality Updates

Check this option to enforce Quality Updates deferral. The Quality Update fixes and improves the existing Windows functionality. You can choose the deferral period after checking this option. The deferral period for Quality Updates is 30 days, i.e., the admin can defer the Quality Updates for up to 30 days.

Note:


Once the deferral period is configured, reset the option to its default value of “0” to cancel the deferral. Following this step, Windows will no longer delay Quality Updates, and the device will receive them based on the default settings.

Defer Feature Updates

Check this option to enforce Feature Updates deferral. The Feature Update contains the newest version of Windows OS. You can choose the deferral period after checking this option. The deferral period depends on the Update channel selected.

Note:

  • For versions older than Windows 10, v1607, the maximum limit is 180 days.
  • The deferral period of Feature Update is up to 14 days for all pre-release channels and up to 365 days for the General Availability channel.

Apply the Windows Update Preferences policy to devices/groups

There are two ways by which you can associate restrictions to the devices in bulk.

If you haven’t saved the policy yet,

  1. Navigate to Policy Targets.
  2. Click on + Add Devices, search and select the required device(s) to which you need to apply the policy. Click OK.
  3. Click on Save to apply the policies to the devices.
Note:


To associate the policies to a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions. Similarly, you can associate the policy to Users, User Groups, or Domains from the same pane.

If you’ve already saved the policy and taken to the page which displays the policy list,

  1. Select the required policy.
  2. Click on Manage and select Associate Targets.
  3. Search and select the devices/ users/ device groups/ user groups/ domains to which you need to apply the policy.
  4. Click Associate.
  • Managing Windows Devices