How to manage Windows 10 feature updates with WSUS

Brock Bingham candid headshot
Brock Bingham|Updated May 10, 2021
How To Manage Windows 10 Feature Updates With WSUS
How To Manage Windows 10 Feature Updates With WSUS

When Windows 10 released in 2015, it not only introduced a new operating system, it also changed the way Windows would be updated going forward because who doesn’t love change? Right? Anyone? Instead of big OS releases packed with a new look and tons of new features, Microsoft has instead given us feature updates.

What are Windows feature updates

Feature updates are Microsoft’s alternative to new OS releases every few years. Feature updates are technically new versions of the Windows operating system. These updates include new features, security improvements, visual differences, and more. Feature updates are released twice a year, usually in the spring and fall.

Feature updates vs. quality updates

Quality updates are different from feature updates. Quality updates are the standard updates released once a month on the second Tuesday of the month, better known as Patch Tuesday. These updates include things such as bug fixes, patches for security vulnerabilities, and system stability improvements. Unlike feature updates, quality updates do not introduce new features or significant changes to the OS. With this in mind, it’s easy to see why we need a different approach to managing feature updates versus quality updates. Since quality updates don’t introduce significant changes to the OS, less testing is required to ensure system compatibility. On the other hand, you may want to postpone feature update installations or even skip specific feature updates all together depending on your environment.

Patch management policy

Before we dive into WSUS, I recommend having a patch management policy in place. I know, I know, nobody likes the “p” word, but it’s best to have this information available so you can refer to it while configuring WSUS. It should provide guidance on whether feature update installations need to be postponed for a length of time or skipped altogether on more sensitive or mission-critical equipment. If you don’t have a patch management policy in place or if it doesn’t cover feature updates, get together with your team and put something together. Since feature updates are new operating system versions, special care should be taken with deployments.

Managing Windows 10 feature updates with WSUS

If I didn’t scare you off by talking about policies, then before we begin, make sure you are using a version of WSUS that supports deploying Windows 10 feature updates. Here are the supported versions of WSUS:

  • WSUS 10.0.17763 (Windows Server 2019 role)

  • WSUS 10.0.14393 (Windows Server 2016 role)

  • WSUS 6.3 (Windows Server 2012 R2 role, requires KB 3095113 or 3159706)

  • WSUS 6.2 (Windows Server 2012 role, requires KB 3095113 or 3159706)

NOTE: KB 3095113 & KB 3159706 are included in the security monthly quality rollup update as of July 2017. If you don’t see these updates as installed, it may be because they were installed with the rollup.

Configuring groups

With WSUS open, the first thing we want to do is create a few groups to help organize our deployments. I like to break up my feature update deployments into three groups, preview, broad, and critical. The preview group is a small set of computers that will evaluate new feature updates. The broad group is where the majority of the workstations will reside. This group will receive the feature update once the preview group has thoroughly tested the update. The critical group is for devices that are vital to maintaining operations. This group will be the last to receive a feature update and may skip specific feature updates altogether to ensure system compatibility. To create a group, expand Computers, right-click on All Computers and click Add Computer Group.

Update Services

Name your group and click Add. Repeat this process for the remaining groups.

Add Computer Group Name

Assigning computers to groups

With our groups created, we need to assign our computers to their appropriate groups. Click on All Computers to view the full list of computers in WSUS. To add a computer to a group, right-click on a device, and select Change Membership. This will bring up the list of groups we created. Select the desired group and click OK.

Set Computer Group Membership

If you have a substantial amount of computers in WSUS, there are few things you can do to help this process go quicker. First, you can highlight multiple computers at once as you normally would with the SHIFT and CTRL keys. Another suggestion is to use the Search option located in the Action pane on the right side of the window. Lastly, a Group By option is also found in the Actions pane, which allows you to group your devices by operating system, version, server, make, model, firmware, and mobile operator.

Configuring auto approval for the preview group

With our workstations assigned to their appropriate groups, we’ll configure the preview group to approve feature updates for installation automatically.

  1. Click on the Options menu item in the menu tree

  2. Click Automatic Approvals

  3. Click New Rule in the Automatic Approvals windows under the Update Rules tab

    Automatic Approvals
  4. In the Add Rule window, select When an update is in a specific classification, When an update is in a specific product, and Set a deadline for the approval

    Add Rule
  5. In the Edit the properties, click any classification

  6. Unselect all classification types except for Upgrades and click OK

    Choose Updated Classifications
  7. Click any product

  8. Unselect everything except for Windows 10 and click OK

    Choose Products
  9. Click on all computers

  10. Select the Preview group and make sure no other groups are selected, and click OK

    Choose Update Classifications
  11. We’ll leave the deadline set at its default, which is seven days after the approval at 3:00 AM

  12. Name your rule and click OK

    Select updates to approve
  13. Click OK in the Automatic Approvals window

Feature updates will now be automatically approved for installation for the Preview group. Since we postpone deploying feature updates for our Broad and Critical groups, these updates will need to be manually approved. Refer back to your patch management policy to determine how long you will postpone an update before deploying it.

Manually deploying feature updates

So your preview group has finished testing all the new features released in the latest version of Windows, and you’re feeling brave enough to deploy it to your Broad group. Or, maybe you had a dream about Shia LaBeouf yelling at you to just do it. Either way, great! Let’s start by creating a view in WSUS that contains only the updates we want to see.

  1. Click Updates in the menu tree on the left in WSUS

  2. Click New Update View in the action pane on the right

  3. Select Updates are in a specific classification, and Updates are for a specific product

    Add Update view
  4. Click any classification and uncheck all options except for Upgrades and click OK

  5. Click any product and uncheck all option except for Windows 10 and click OK

  6. Specify a name for the view and click OK

  7. With our new view created, all that’s left to do is deploy the update.

  8. Click on the newly created update view in the menu tree on the left

    Update Service
  9. Right-click on the update you want to deploy and click Approve

  10. Click the down arrow next to the Broad group and click Approved for Install

    Approve Updates
  11. Click on the drop-down next to Broad once again and select Deadline > One Week

  12. Click OK, and the Approval Progress window should appear with the results

    Approval Progress
  13. Click Close

Wrapping up

Managing updates, in general, is not on my favorite things-to-do list. It lands right below watching Frozen for the nth time and right above picking up the presents my dog leaves for me in the backyard. That’s why I try to make updating Windows as simple as possible. If you don’t already use PDQ Deploy for managing your Windows quality updates, watch Lex demonstrate how easy it is in this quick video tutorial.

Brock Bingham candid headshot
Brock Bingham

Born in the '80s and raised by his NES, Brock quickly fell in love with everything tech. With over 15 years of IT experience, Brock now enjoys the life of luxury as a renowned tech blogger and receiver of many Dundie Awards. In his free time, Brock enjoys adventuring with his wife, kids, and dogs, while dreaming of retirement.

Related articles