Creating Your Update Management Strategy 

It’s been a while since we covered Windows as a service, and a lot has changed!

We’ve had Windows 11, Windows 365 and Azure Virtual Desktop (AVD) thrown in the mix, along with a few name changes and tooling improvements along the way. So how does this impact your management of the Windows lifecycle?  

In this series we’re going to update our previous advice on update management – this blog will cover: 

  • A quick refresher on update types (and how they’ve changed) 
  • Update deployment 
  • Service tools overview 
  • Which servicing tools are right for you? 
  • Helpful resources 

Windows: What’s changed?

It was a few years back that we got the good news: no more disruptive operating system upgrades. Instead, Windows 10 would be the ‘last’ Windows OS, getting upgraded on a continuous basis with feature updates and quality updates. 

Now we all know that Windows 10 will not be the final release from Microsoft… and it’s been joined by Windows 11, which adheres (roughly) to the same concept. There’ll be regular updates to the OS, rather than a massive overhaul. Fantastic! We’ve kept (more or less) the same update cadence. 

Now with this addition to the Microsoft family we do need to bear a couple of things in mind: 

  1. At some point you will want to update to Windows 11. That will be so much easier if you already have a proper update management process in place for Windows 10. Keeping your devices up to date will make your transition over to Windows 11 a lot easier as well! 
  2. IT estates are more complex now, with the addition of Windows 365, AVD and other new toolsets. This means you need to make sure you’re managing your IT estate in the most effective way for your business needs. 


(We held some popular webinars on this a few months back, take a look at them here: Managing Windows Effectively) 

Updates: What’s changed?

So how has Windows as a service changed over the last year or so? There are still two update types: Feature Updates and Quality Updates. 

Feature Updates 

Windows feature updates are technically new versions of Windows 10/11, which were originally released twice per year. This has now changed to one annual feature update (still referred to as 21H2, 22H2, 23H2 and so on). 

These will bring new Windows features, which can be deployed using your existing management tools, such as Configuration Manager, WSUS or Windows Update for business. 

Quality Updates 

Quality updates contain security and reliability updates, as well as bug fixes. They’re released monthly and are cumulative. This means, for example, if a device was offline in a storeroom for a few months, only the latest update needs be applied. 

To receive monthly quality updates, customers must be on a supported version of Windows – so here’s your very early reminder that Windows 10 22H2 will be unsupported from October 2025.  

(Click here to see end-of-support dates for previous versions!) 

These monthly updates can be classified into B,C or OOB (out of band) releases – if you haven’t come across these before, Microsoft explain it best: Monthly Quality Updates Overview  

Moment Updates 

Microsoft has also recently announced a new update type – Moment updates – which will be made available periodically for devices running Windows 11. These will contain new Windows features outside of those provided with the larger annual feature updates. 

Update Deployment

Microsoft recommends beginning deployment as soon as possible to devices selected for early adoption – then you can move to full deployment when you’re ready to do so. This gives you access to new features and integrated security in a timely manner, whilst remaining on a supported version. 

This doesn’t mean updates have to be deployed and implemented immediately. You can still have control over how and when the update is deployed – the level of control, however, depends on the tools used.  

So, knowing this, the first decision is to determine which tools you’ll use to manage and deliver Windows updates. This depends on your current device management setup – modern or traditional.  

Understanding how the different servicing tools interact with your current infrastructure and policies will help you make the right decision for your business. 

Which Servicing Tools are Right for you?

Servicing Tools Overview 

Windows Update 

Windows Update provides some control over feature updates, but not as much as other options. You can manually configure devices to be in the Semi-Annual Channel, and can target which devices defer updates by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 device. 

Windows Update for Business (WUfB) 

WUfB is cloud-based, and it particularly suited to updating clients in the cloud. This servicing tool includes control over update deferment and settings are deployed using Group Policy, Intune or scripts – it’s particularly suited to Intune clients. It uses built-in Windows 10 delivery optimisation and WUfB can defer updates by up to 365 days, depending on the version.

Microsoft Endpoint Configuration Manager (ConfigMgr) 

ConfigMgr is great for either cloud or on-premise setups. In ConfigMgr, you can create servicing plans to form deployment rings, update Windows 10 when new builds are released. You can also use task sequences to upgrade Windows 10 to newer iterations. 

ConfigMgr will give you the most control – you can defer or approve updates and have multiple options for targeting deployments, and managing bandwidth usage and deployment times. You can also use BranchCache to reduce network bandwidth usage during updates – a handy tool when working with devices that haven’t been updated in some time! 

Windows Server Update Services (WSUS) 

WSUS is particularly suited to traditional, on-premise offices where lots of devices are based. WSUS provides a lot of control over updates and is natively available in the Windows Server OS. This method requires that you set up a WSUS server, which downloads updates in bulk from Microsoft (and avoids having all devices separately downloading via internet connection at once). You can then connect individual devices to the server to install updates, distributing them through a management console. 

Server setup, control and update processes can be managed using: 

  • Microsoft Endpoint Manager 
  • A standalone Windows Server Update Services server 


Which servicing tool is right for me? 

Microsoft Endpoint Config Manager Better suited for: On-Prem or Cloud Windows Update for Business Better suited for: Cloud Windows Server Update Services Better suited for: On-Prem
Task sequence-based updates or Windows servicing capabilities
Feature updates can be deferred
Feature updates are deployed on approval
Content distributed from ConfigMgr distribution points
Builds on top of Windows Update
Content distributed from WSUS servers
BranchCache or ConfigMgr peer caching to reduce bandwidth
Uses Windows Update for content
BranchCache to reduce bandwidth
Delivery optimisation for P2P distribution
Devices don’t need to download via internet

Next you need to think about infrastructure requirements and considerations – but as this blog is getting rather long, we’ll save that for the next installment! 

While you wait…

In the meantime, Microsoft has extensive documentation: 

And of course we’re running a webinar related to this topic! Our CTO Steve Beaumont will be running through some key actions to ensure you have the right level of visibility and control over your IT estate ahead of upgrading to Windows 11. Check it out here! 


This is for anyone who wants a head start on the 2025 deadline (it’ll be here sooner than you think!) or anyone with a more complex IT estate (e.g. BYOD, a mix of device types/lots of old devices).  

Share on:


Share on Facebook
Share on Twitter
Share on LinkedIn

Related blogs

two people at desk looking at code

AOVPN DPC V4.0 is Now Live!

Today we’re very excited to announce the release of AOVPN DPC 4.0 with support for Windows 11! AOVPN Dynamic Profile Configurator is now functional with