Windows Update for Business deployment service prerequisites

• Applies to:

  ✅ Windows 11, ✅ Windows 10

Before you begin the process of deploying updates with Windows Update for Business deployment service, ensure you meet the prerequisites.

Azure and Microsoft Entra ID

• An Azure subscription with Microsoft Entra ID
• Devices must be Microsoft Entra joined and meet the below OSrequirements.
  • Devices can be Microsoft Entra joined or Microsoft Entra hybrid joined.
  • Devices that are Microsoft Entra registered only (Workplace joined) aren't supported with Windows Update for Business

Licensing

Windows Update for Business deployment service requires users of the devices to have one of the following licenses:

• Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
• Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
• Windows Virtual Desktop Access E3 or E5
• Microsoft 365 Business Premium

Operating systems and editions

• Windows 11 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
• Windows 10 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions

Windows Update for Business deployment service supports Windows client devices on the General Availability Channel.

Windows operating system updates

• Expediting updates requires the Update Health Tools on the clients. The tools are installed starting with KB4023057. To confirm the presence of the Update Health Tools on a device:

  • Look for the folder C:\Program Files\Microsoft Update Health Tools or review Add Remove Programs for Microsoft Update Health Tools.
  • As an Admin, run the following PowerShell script: Get-CimInstance -ClassName Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}

• For Changes to Windows diagnostic data collection, installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended

Diagnostic data requirements

Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population and to deploy driver updates, devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send diagnostic data at the Required level (previously called Basic) for these features.

When you use Windows Update for Business reports in conjunction with the deployment service, using diagnostic data at the following levels allows device names to appear in reporting:

• Optional level (previously Full) for Windows 11 devices
• Enhanced level for Windows 10 devices

Permissions

• Windows Update for Business deployment service operations require WindowsUpdates.ReadWrite.All
  • Some roles, such as the Windows Update deployment administrator, already have the permissions.

Note

Leveraging other parts of the Graph API might require additional permissions. For example, to display device information, a minimum of Device.Read.All permission is needed.

Required endpoints

• Have access to the following endpoints:

• Windows Update endpoints

  • *.prod.do.dsp.mp.microsoft.com
  • *.windowsupdate.com
  • *.dl.delivery.mp.microsoft.com
  • *.update.microsoft.com
  • *.delivery.mp.microsoft.com
  • tsfe.trafficshaping.dsp.mp.microsoft.com

• Windows Update for Business deployment service endpoints

  • devicelistenerprod.microsoft.com
  • login.windows.net
  • payloadprod*.blob.core.windows.net

• Windows Push Notification Services: (Recommended, but not required. Without this access, devices might not expedite updates until their next daily check for updates.)

  • *.notify.windows.com

Limitations

Windows Update for Business deployment service is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Windows Update for Business deployment service doesn't meet US Government community compliance (GCC) requirements. For a list of GCC offerings for Microsoft products and services, see the Microsoft Trust Center. Windows Update for Business deployment service is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers.

Policy considerations for drivers

It's possible for the service to receive content approval but the content doesn't get installed on the device because of a Group Policy, CSP, or registry setting on the device. In some cases, organizations specifically configure these policies to fit their current or future needs. For instance, organizations may want to review applicable driver content through the deployment service, but not allow installation. Configuring this sort of behavior can be useful, especially when transitioning management of driver updates due to changing organizational needs. The following list describes driver related update policies that can affect deployments through the deployment service:

Policies that exclude drivers from Windows Update for a device

The following policies exclude drivers from Windows Update for a device:

• Locations of policies that exclude drivers:
  • Group Policy: \Windows Components\Windows Update\Do not include drivers with Windows Updates set to enabled
  • CSP: ExcludeWUDriversInQualityUpdate set to 1
  • Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversFromQualityUpdates set to 1
  • Intune: Windows Drivers update setting for the update ring set to Block

Behavior with the deployment service: Devices with driver exclusion polices that are enrolled for drivers and added to an audience though the deployment service:

• Will display the applicable driver content in the deployment service
• Won't install drivers that are approved from the deployment service
  • If drivers are deployed to a device that's blocking them, the deployment service displays the driver is being offered and reporting displays the install is pending.

Policies that define the source for driver updates

The following policies define the source for driver updates as either Windows Update or Windows Server Update Service (WSUS):

• Locations of policies that define an update source:
  • Group Policy: \Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\Specify source service for specific classes of Windows Updates set to enabled with the Driver Updates option set to Windows Update
  • CSP: SetPolicyDrivenUpdateSourceForDriverUpdates set to 0 for Windows Update as the source
  • Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForDriverUpdates set to 0. Under \AU, UseUpdateClassPolicySource also needs to be set to 1
  • Intune: Not applicable. Intune deploys updates using Windows Update for Business. Co-managed clients from Configuration Manager with the workload for Windows Update policies set to Intune will also use Windows Update for Business.

Behavior with the deployment service: Devices with these update source policies that are enrolled for drivers and added to an audience though the deployment service:

• Will display the applicable driver content in the deployment service
• Will install drivers that are approved from the deployment service

Note

When the scan source for drivers is set to WSUS, the deployment service doesn't get inventory events from devices. This means that the deployment service won't be able to report the applicability of a driver for the device.

General tips for the deployment service

Follow these suggestions for the best results with the service:

• Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day).

• Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to 0 days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors.

• Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it.