演练:使用组策略配置适用于企业的 Windows 更新Walkthrough: Use Group Policy to configure Windows Update for Business

适用于Applies to

  • Windows 10Windows10

查找使用者信息?Looking for consumer information? 请参阅 Windows 更新:常见问题See Windows Update: FAQ

概述Overview

你可以通过组策略管理控制台 (GPMC) 使用组策略来控制 Windows 更新企业的工作方式。You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. 在对 Windows 更新 Windows 更新进行更改之前,应考虑和设计更新的部署策略。You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. 有关详细信息,请参阅 Windows 10 更新的准备服务策略See Prepare servicing strategy for Windows 10 updates for more information.

IT 管理员可以使用组策略设置 Windows 更新 for Business 的策略,也可以在本地设置 (每个设备) 。An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). 所有相关策略均位于 "> 管理模板" 下的 " > Windows 组件 > Windows 组件" 的 "计算机配置" 下。All of the relevant policies are under the path Computer configuration > Administrative Templates > Windows Components > Windows Update.

若要管理 Windows 更新 for Business 更新(如本文所述),如果尚未执行以下步骤,请做好准备:To manage updates with Windows Update for Business as described in this article, you should prepare with these steps, if you haven't already:

设置适用于企业的 Windows 更新Set up Windows Update for Business

在此示例中,一个安全组用于管理更新。In this example, one security group is used to manage updates. 通常情况下,我们建议至少有三个环 (早期测试版的早期测试版、版本广泛的测试、适用于成熟发布) 部署的关键设备。Typically we would recommend having at least three rings (early testers for pre-release builds, broad deployment for releases, critical devices for mature releases) to deploy. 有关详细信息,请参阅 Windows 10 更新的构建部署环See Build deployment rings for Windows 10 updates for more information.

在运行远程服务器管理工具的设备或域控制器上执行以下步骤:Follow these steps on a device running the Remote Server Administration Tools or on a domain controller:

设置响铃Set up a ring

  1. 启动组策略管理控制台 (gpmc) 。Start Group Policy Management Console (gpmc.msc).
  2. 展开 * * 林 > 域 > * <your domain> * *。Expand **Forest > Domains > *<your domain>**.
  3. 右键单击 <your domain> 并选择 "在此域中创建 GPO" 并在此处链接Right-click <your domain> and select Create a GPO in this domain and link it here.
  4. 在 " 新建 GPO " 对话框中,输入 " 适用于企业的 Windows 更新-组 1 " 作为新组策略对象的名称。In the New GPO dialog box, enter Windows Update for Business - Group 1 as the name of the new Group Policy Object.
  5. 右键单击 "适用于企业的 Windows 更新-组 1" 对象,然后选择 " 编辑"。Right-click the "Windows Update for Business - Group 1" object, and then select Edit.
  6. 在 "组策略管理编辑器" 中,转到 " 计算机配置 > 策略" > 管理模板 > Windows 组件 > Windows UpdateIn the Group Policy Management Editor, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update. 现在,你可以开始为此震铃 (组) 设备分配策略。You are now ready to start assigning policies to this ring (group) of devices.

管理 Windows 更新服务Manage Windows Update offerings

你可以控制应用更新的时间,例如,在设备上安装更新或在特定时间段内暂停更新时延迟。You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time.

确定要向设备提供哪些更新Determine which updates you want offered to your devices

Windows 10 功能和质量更新均会自动提供给连接到使用 Windows 更新企业版策略的 Windows 更新的设备。Both Windows 10 feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. 但是,你可以选择是否希望设备另外接收适用于该设备的其他 Microsoft 更新或驱动程序。However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.

若要启用 Microsoft 更新,请使用组策略管理控制台转到 " 计算机配置" > 管理模板 > Windows 组件 "> Windows Update" > 配置自动更新 ,然后选择 " 安装其他 Microsoft 产品的更新"。To enable Microsoft Updates use the Group Policy Management Console go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates and select Install updates for other Microsoft products.

驱动程序将自动启用,因为它们对设备系统很有用。Drivers are automatically enabled because they are beneficial to device systems. 我们建议你允许驱动程序策略在 (默认) 的设备上进行更新,但如果你希望手动管理驱动程序,则可以关闭此设置。We recommend that you allow the driver policy to allow drivers to update on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. 如果由于某种原因而希望禁用驱动程序更新,请使用组策略管理控制台转到 " 计算机配置" > 管理模板 > Windows 组件 > "Windows 更新" > 不要将驱动程序包含 Windows 更新 并启用该策略。If you want to disable driver updates for some reason, use the Group Policy Management Console to go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates and enable the policy.

我们还建议你允许 Microsoft 产品更新,如前面所述。We also recommend that you allow Microsoft product updates as discussed previously.

设置设备何时接收功能和质量更新Set when devices receive feature and quality updates

我想要接收下一个功能更新的预发布版本I want to receive pre-release versions of the next feature update

  1. 确保你已注册到 Windows 预览体验计划 for Business。Ensure that you are enrolled in the Windows Insider Program for Business. 这是一个完全免费的计划,可供商业客户在他们发布之前验证其功能更新。This is a completely free program available to commercial customers to aid them in their validation of feature updates before they are released. 加入该计划后,你就可以在发布之前接收更新,以及接收与下一次更新中的内容相关的电子邮件和内容。Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
  2. 使用组策略管理控制台转到: " 计算机配置" > 管理模板 > windows > 组件 > Windows update For Business > 管理预览版 并将策略设置为为要安装预发布版本的任何测试设备 启用预览版本Use Group Policy Management Console to go to: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Manage preview builds and set the policy to Enable preview builds for any of test devices you want to install pre-release builds.
  3. 使用组策略管理控制台转到 " 计算机配置" > 管理模板 > Windows 组件 "windows > 组件" > windows update For Business > 在收到预览版和功能更新时选择Use Group Policy Management Console to go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received. 在 " 选项 " 窗格中,使用下拉菜单选择其中一个预览版本。In the Options pane, use the pulldown menu to select one of the preview builds. 我们使用预发布版本进行验证,为商业客户 recomment Windows 预览体验计划的速度较慢We recomment Windows Insider Program Slow for commercial customers using pre-release builds for validation.
  4. 选择“确定”****。Select OK.

我想要管理我的设备接收的已发布功能更新I want to manage which released feature update my devices receive

适用于商业版管理员的 Windows 更新可以推迟或暂停更新。A Windows Update for Business administrator can defer or pause updates. 最多可推迟365天的功能更新,并推迟高达30天的质量更新。You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. 延迟只是指您将不会收到更新,直到该更新至少已被指定的延迟天数 (优惠日期 = 发放日期 + 延期日期) 。Deferring simply means that you will not receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). 从指定的开始日期起,最多可暂停35天的功能或质量更新。You can pause feature or quality updates for up to 35 days from a given start date that you specify.

  • 要推迟或暂停功能更新,请执行以下操作: 计算机配置 > 管理模板 > Windows 组件 > Windows 更新 > Windows update For Business > 在收到预览版和功能更新时选择To defer or pause a feature update: Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are Received
  • 推迟或暂停质量更新: " 计算机配置" > 管理模板 > Windows 组件 "windows > 组件" > Windows update For Business > 选择接收质量更新的时间Defer or pause a quality update: Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received

示例Example

在此示例中,质量更新有三个环。In this example, there are three rings for quality updates. 第一环 ( "试点" ) 的延迟周期为0天。The first ring ("pilot") has a deferral period of 0 days. 第二个铃声 ( "fast" ) 的延迟为5天。The second ring ("fast") has a deferral of five days. 第三个铃声 ( "慢" ) 的延迟为10天。The third ring ("slow") has a deferral of ten days.

分成三个环的设备的插图

更新质量更新后,将在下一次扫描更新时将其提供给试验环中的设备。When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.

五天后Five days later

下一次扫描更新时,将向 "快速环" 中的设备提供质量更新。The devices in the fast ring are offered the quality update the next time they scan for updates.

已部署快速环路的设备的插图

10天后Ten days later

在质量更新发布后的10天后,下次扫描更新时,它将提供给慢速铃声中的设备。Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.

已部署较慢环路的设备的插图

如果未出现任何问题,则扫描更新的所有设备将在其发布的十天内以三种波提供质量更新。If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.

如果更新出现问题,该怎么办?What if a problem occurs with the update?

在此示例中,在将更新部署到 "试点" 循环期间发现了一些问题。In this example, some problem is discovered during the deployment of the update to the "pilot" ring.

使用试验环遇到问题的设备插图

此时,IT 管理员可以设置一个策略来暂停更新。At this point, the IT administrator can set a policy to pause the update. 在此示例中,管理员选中 " 暂停质量更新 " 复选框。In this example, the admin selects the Pause quality updates check box.

选中 "暂停质量更新" 复选框的铃声的插图

现在,所有设备在35天内被暂停更新。Now all devices are paused from updating for 35 days. 当暂停被删除时,将提供 下一个 质量更新,理想情况下将不会出现相同的问题。When the pause is removed, they will be offered the next quality update, which ideally will not have the same issue. 如果仍然存在问题,IT 管理员可以再次暂停更新。If there is still an issue, the IT admin can pause updates again.

我想要保留特定的版本I want to stay on a specific version

如果你需要某个设备在延迟下一版本的位置之外保留,或者你需要跳过版本 (例如,更新秋季发布到秋季发布) 使用 " 选择目标功能更新版本 " 设置,而不是使用 "为功能更新延迟 接收预览版和功能更新时 " 设置。If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the Select the target Feature Update version setting instead of using the Specify when Preview Builds and Feature Updates are received setting for feature update deferrals. 使用此策略时,请指定希望设备 () 使用的版本。When you use this policy, specify the version that you want your device(s) to use. 如果在设备停止服务之前不更新此项,则当设备的版本超过60天后,该设备将自动更新。If you don't update this before the device reaches end of service, the device will automatically be updated once it is 60 days past end of service for its edition.

设置目标版本策略时,如果你指定的功能更新版本早于当前版本或设置的值无效,则在更新策略之前,设备将不会收到任何功能更新。When you set the target version policy, if you specify a feature update version that is older than your current version or set a value that isn't valid, the device will not receive any feature updates until the policy is updated. 指定目标版本策略时,功能更新延迟将不起作用。When you specify target version policy, feature update deferrals will not be in effect.

管理用户体验更新的方式Manage how users experience updates

我想要在更新后的设备下载、安装和重启时进行管理I want to manage when devices download, install, and restart after updates

我们建议你允许自动更新-这是默认行为。We recommend that you allow to update automatically--this is the default behavior. 如果未设置自动更新策略,则设备将尝试使用内置智能(如智能活动时间和智能繁忙检查)在用户的最佳时间下载、安装和重启。If you don't set an automatic update policy, the device will attempt to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.

对于更精细的控制,你可以设置用户使用 计算机配置 > 管理模板 > windows > 组件中的 "管理模板" 设置的最长周期,> 指定用于自动重启的有效时间范围For more granular control, you can set the maximum period of active hours the user can set with Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify active hours range for auto restart.

最好避免设置活动的时间策略,因为当自动更新未被禁用时默认情况下启用该策略,并且在用户可以设置其自己的活动时间时提供更好的体验。It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates are not disabled and provides a better experience when users can set their own active hours. 如果你想要设置有效的小时数,请使用 " 计算机配置" > "> Windows 组件" 的 "windows > 组件" 中的 "计算机配置" > 在活动时间内关闭更新的自动重启If you do want to set active hours, use Computer Configuration > Administrative Templates > Windows Components > Windows Update > Turn off auto-restart for updates during active hours.

若要在活动时间之外更新,无需设置任何其他设置:简单地禁用自动重启。To update outside of the active hours, you don't need to set any additional settings: simply don't disable automatic restarts. 对于更细致的控制,请考虑使用自动更新来安排安装时间、天或周。For even more granular control, consider using automatic updates to schedule the install time, day, or week. 若要执行此操作,请使用 " 计算机配置" > 管理模板 > Windows 组件 > Windows 更新 > 配置自动更新 ,然后选择 "自动下载并计划安装"To do this, use Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates and select Auto download and schedule the install. 你可以自定义此设置,以适应你希望为设备安装更新的时间。You can customize this setting to accommodate the time that you want the update to be installed for your devices.

设置这些策略时,安装会在指定的时间自动发生,并且设备将在安装完成15分钟后重新启动 (除非用户) 中断。When you set these policies, installation happens automatically at the specified time and the device will restart 15 minutes after installation is complete (unless it's interrupted by the user).

我想让设备保持安全并遵守更新截止日期I want to keep devices secure and compliant with update deadlines

我们建议你使用 " 计算机配置" > > Windows Update > Windows 组件的 "计算机配置" > 指定自动更新和重启 功能和质量更新的截止时间,以确保设备在 Windows 10 版本1709和更高版本上保持安全。We recommend that you use Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline for automatic updates and restarts for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. 这可通过以下方法来指定在必须安装更新之前为设备提供的天数。This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. 还可以设置在用户强制重启之前,等待重新启动后可以经过的天数。Also you can set the number of days that can elapse after a pending restart before the user is forced to restart.

此策略还提供了选择取消自动重启的选项,直到截止日期到期后,才会显示 "预定重启体验"。This policies also offers an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. 此时,无论使用哪种活动时间,设备都将自动安排重启。At that point the device will automatically schedule a restart regardless of active hours.

这些通知是用户根据你选择的设置所看到的内容:These notifications are what the user sees depending on the settings you choose:

指定自动更新和重启的截止时间设置 (适用于 Windows 10 版本1709和更高版本) :When Specify deadlines for automatic updates and restarts is set (For Windows 10, version 1709 and later):

  • 当重启处于待处理状态时,在截止日期之前:While restart is pending, before the deadline occurs:

    • 在前几天内,用户将收到 toast 通知For the first few days, the user receives a toast notification

    • 在此时间段后,用户将收到此对话框:After this period, the user receives this dialog:

      用户在截止日期前即将重启的通知

    • 如果用户计划了重启,或者如果计划了自动重启,则在计划时间之前的15分钟用户收到重启即将发生的通知:If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur:

      通知用户在重启前15分钟内即将重启

  • 如果在截止时间过后,重新启动仍处于挂起状态:If the restart is still pending after the deadline passes:

    • 在截止日期过去的12个小时内,用户将收到截止时间即将接近的通知:Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching:

      用户收到接近重启截止时间的通知

    • 截止时间过后,将被迫重新启动用户以使其设备符合合规性并收到此通知:Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification:

      用户在截止日期后收到的即将重启的通知

我想要管理用户看到的通知I want to manage the notifications a user sees

有影响通知的其他设置。There are additional settings that affect the notifications.

我们建议你使用默认通知,因为它们的目标是提供最佳用户体验,同时调整你已设置的合规性策略。We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. 如果默认通知设置不满足您的其他需求,则可以使用 " 计算机配置" > 管理模板 > Windows 组件 "> Windows 更新" > 显示选项 "使用这些值更新通知:If you do have further needs that are not met by the default notification settings, you can use Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications with these values:

0 (默认) –使用默认的 Windows 更新通知 1 -关闭所有通知,不包括重启警告 2 -关闭所有通知,包括重启警告0 (default) – Use the default Windows Update notifications 1 – Turn off all notifications, excluding restart warnings 2 – Turn off all notifications, including restart warnings

备注

选项 2 为个人设备创建了不好的体验;仅建议已禁用自动重启的展台设备。Option 2 creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.

" 计算机配置" > 的 "管理模板" > Windows 组件 "中的" > Windows 组件 "> 配置更新的自动重启警告通知计划" 中,仍有更多选项可用。Still more options are available in Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart restart warning notifications schedule for updates. 此设置允许你指定自动重新启动警告提醒通知的周期, (从2-24 小时起。4小时是更新之前的默认) ,并指定自动重启即将过期的警告通知的期限, (15-60 分钟是默认) 。This setting allows you to specify the period for auto-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update and to specify the period for auto-restart imminent warning notifications (15-60 minutes is the default). 我们建议使用默认通知。We recommend using the default notifications.

我想要管理用户可以访问的更新设置I want to manage the update settings a user can access

每个 Windows 设备向用户提供可用于管理 Windows 更新的各种控件。Every Windows device provides users with a variety of controls they can use to manage Windows Updates. 他们可以通过搜索查找 Windows 更新或通过在 "设置" 中选择 "更新和安全" 来访问这些控件。They can access these controls by Search to find Windows Updates or by going selecting Updates and Security in Settings. 我们提供了禁用用户易于访问的各种控件的功能。We provide the ability to disable a variety of these controls that are accessible to users.

具有更新暂停设置访问权限的用户可以在7天内阻止功能和质量更新。Users with access to update pause settings can prevent both feature and quality updates for 7 days. 通过使用 " 计算机配置" > 管理模板 "> Windows 组件" > windows > update "删除对" 暂停更新 "的访问权限,可以阻止用户通过" windows 更新设置 "页面暂停更新。You can prevent users from pausing updates through the Windows Update settings page by using Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to “Pause updates. 如果禁用此设置,用户将看到 某些设置由你的组织管理 ,并且 "更新暂停" 设置将灰显。When you disable this setting, users will see Some settings are managed by your organization and the update pause settings are greyed out.

如果你使用 Windows Server Update Server (WSUS) ,则可以阻止用户扫描 Windows 更新。If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. 若要执行此操作,请使用 " 计算机配置" > 管理模板 > Windows 组件 > Windows 更新 > "删除使用所有 Windows 更新功能的访问权限"。To do this, use Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows Update features.

相关主题Related topics