Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Introduction
Managing Windows updates across hundreds of devices without a server is now possible. Windows Update for Business setup allows you to control updates directly from the cloud. No WSUS, no Group Policy, no on-premise infrastructure.
This Windows Update for Business setup guide walks you through everything. You will learn update rings, deferral policies, and Intune integration. By the end, you can manage updates for your entire organization from a single web dashboard.
What Is Windows Update for Business (WUfB)?
Windows Update for Business is a free cloud service included with Windows 10 and 11 Pro, Enterprise, and Education editions. It connects devices directly to Microsoft Update servers but gives you control over:
- When updates download and install
- Which updates are deferred (and for how long)
- How updates roll out across device groups (rings)
- Restart policies and notifications
WUfB is perfect for organizations without on-premise servers. It works with Microsoft Intune, Group Policy, or simple MDM. (For traditional on-premise control, see our Group Policy Windows Update guide.)
WUfB vs. Traditional Methods
| Feature | WSUS + Group Policy | Windows Update for Business |
|---|---|---|
| On-premise server required | Yes | No |
| Internet bandwidth for updates | Local WSUS saves bandwidth | Each device downloads from Microsoft |
| Control over specific KB approvals | Granular (approve/reject individual updates) | Only deferral periods (all updates approved) |
| Reporting and compliance | WSUS reports | Microsoft Endpoint Analytics (Intune) |
| Best for | Large enterprises with datacenters | Cloud-first, remote work, SMB |
Windows Update for Business setup is ideal for organizations with distributed workforces, remote employees, or no on-premise IT infrastructure.
Prerequisites for WUfB Setup
Before configuring, ensure:
- Windows 10/11 Pro, Enterprise, or Education – Home edition does not support WUfB
- Internet connection – Devices must reach Microsoft Update servers
- Management tool – Intune (recommended), Group Policy, or MDM
- Azure AD joined or Hybrid joined – For Intune management
If you use Intune, you need licenses: Microsoft 365 E3, E5, or Intune standalone.
Step-by-Step: Windows Update for Business Setup via Intune
This is the recommended method for modern organizations.
Step 1: Sign in to Microsoft Intune
Go to https://intune.microsoft.com and sign in as an Administrator.
Step 2: Create an Update Ring
- Navigate to Devices > Windows > Update rings for Windows 10 and later
- Click Create > Update ring
- Give it a name: “WUfB – Pilot Ring”
Step 3: Configure Basic Settings
| Setting | Recommended Value |
|---|---|
| Service channel | Semi-Annual Channel (General Availability) |
| Quality update deferral (days) | 0 for pilot, 3 for production |
| Feature update deferral (days) | 180 |
| Automatic update behavior | Auto install at maintenance time |
| Active hours start | 8 AM |
| Active hours end | 5 PM |
| Restart grace period (days) | 2 |
| Deadline for quality updates (days) | 7 |
These settings balance security with user convenience. Pilot rings get updates immediately. Production rings wait a few days for safety.
Step 4: Configure User Experience Settings
Under User experience settings:
- Allow auto reboot outside active hours – Yes
- Auto reboot before deadline – Yes
- User control over reboots – Notify user (do not allow deferral)
- Engagement notifications – Show all notifications
Step 5: Assign the Update Ring
- Click Assignments
- Add Include groups – Select a pilot device group
- Click Create
Repeat the process for production, critical, and test rings.
Step 6: (Optional) Set Feature Update Policies
For controlling OS version upgrades (e.g., from 22H2 to 24H2):
- Go to Devices > Windows > Feature updates for Windows 10 and later
- Click Create
- Name: “WUfB – Feature Update 24H2”
- Select the target version (e.g., Windows 11 24H2)
- Assign to device groups
- Set rollout options (percentage of devices per day)
This ensures your organization moves to new Windows versions in a controlled manner.
Step-by-Step: Windows Update for Business Setup via Group Policy
If you do not have Intune, use Group Policy (requires domain-joined computers).
- Open Group Policy Management Console
- Create or edit a GPO
- Navigate to:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business
Configure these policies:
| Policy | Setting |
|---|---|
| Manage preview builds | Disable for production |
| Select when Quality Updates are received | Enabled – Defer quality updates for 3 days |
| Select when Feature Updates are received | Enabled – Defer for 180 days |
| Enable auto-restart deadline | Enabled – 2 days |
Then link the GPO to your organizational units. (For a complete Group Policy reference, see our Group Policy Windows Update guide.)
Managing Drivers with WUfB
Drivers can be included or excluded from Windows Update for Business. By default, drivers are included.
To exclude drivers via Intune:
- Go to Devices > Configuration profiles
- Create a profile > Windows 10 and later > Settings catalog
- Search for “Driver updates”
- Set Enable driver updates to Block
To manage drivers separately, see our Windows Update driver updates guide.
Real-World Applications
Scenario A: Remote-First Startup (50 employees)
No office, no servers. The IT lead sets up Windows Update for Business setup via Intune. Pilot ring (5 power users) gets updates after 1 day. Production ring gets updates after 4 days. When a critical security patch releases, she temporarily changes production deferral to 0 days for that month only. All remote laptops stay secure without VPN.
Scenario B: School District (500 student devices)
Student laptops cannot update during class. The admin configures active hours 8 AM to 3 PM. Updates download and install automatically between 3 PM and 8 AM. Restart deadlines are set to 7 days, so students can postpone until weekend. Feature updates are deferred 365 days until summer break.
Scenario C: Hospital with Mixed Environment
Clinical workstations use traditional WSUS (no internet). Administrative PCs use WUfB. The Windows Update for Business setup for admin PCs uses quality deferral of 2 days. This gives the IT team time to test patches on WSUS first, then release via WUfB. (For clinical systems, see our Group Policy Windows Update guide.)
Common Mistakes to Avoid
Mistake #1: Setting quality update deferral too long. Some admins choose 30+ days. Attackers exploit vulnerabilities within days of Patch Tuesday. Keep deferral under 7 days.
Mistake #2: Forgetting to set deadlines. Without deadlines, users can postpone updates indefinitely. Always configure deadline settings.
Mistake #3: Not using pilot rings. Deploying updates to all devices at once risks widespread issues. Use at least two rings.
Mistake #4: Conflicting policies. If a device receives both Group Policy and Intune policies, unexpected behavior occurs. Use one management tool consistently.
Monitoring and Reporting
With Intune, monitor update compliance:
- Go to Reports > Windows updates > Reports
- View Update ring deployment states – Shows devices pending, in progress, or completed
- Export Quality update compliance report – See which devices need attention
For deeper insights, integrate with Microsoft Endpoint Analytics.
Troubleshooting WUfB
If updates are not applying:
- Verify device is Azure AD or Hybrid AD joined
- Check that the device is assigned to the correct update ring
- Run
Get-WindowsUpdateLogin PowerShell on the client - Ensure Windows Update service is running
- Verify internet connectivity to Microsoft Update
For persistent update issues, refer to our Windows Update stuck fixes.
FAQ Section
Is Windows Update for Business free?
Yes. WUfB is included with Windows 10/11 Pro, Enterprise, and Education. No additional licensing cost. However, Intune requires Microsoft 365 E3/E5 or standalone Intune licenses.
Can I use WUfB without Intune?
Yes. You can configure WUfB via Group Policy (on-premise) or MDM (mobile device management). Intune is the most feature-rich option but not required.
How do WUfB deferrals differ from WSUS approvals?
WSUS lets you approve or reject specific KB updates. WUfB only allows you to defer all updates by a certain number of days. WUfB is simpler but less granular.
Does WUfB work for servers?
No. Windows Server does not support Windows Update for Business. Servers require WSUS, Azure Update Management, or other server patching solutions.
Conclusion
Windows Update for Business setup gives you cloud-based control over Windows updates without on-premise infrastructure. Configure update rings, set deferral periods, and enforce restart deadlines. Use Intune for the best experience, or Group Policy for hybrid environments.
Start with a pilot ring. Set quality update deferral to 0-3 days. Feature update deferral to 180 days. Add restart deadlines. Then expand to production rings.
Next steps: Pair WUfB with Delivery Optimization to save bandwidth. For devices that still get stuck, see our Windows Update stuck fixes. And always stay aware of threats like the fake Windows Update 2026 malware.
