Windows Update Management

Last modified by Sabrina V. on 2025/04/29 12:42

Within the Windows Update Management settings, you can subsequently make changes to settings already set for products and classifications and configure the testing and release processes. This makes it possible to remove or add further products and classifications at a later date, as well as to take language adjustments into account. If your selection of hardware manufacturers is expanded, you can also include additional third-party providers at a later stage and select them via the settings and include them in the meta and setup data download.

The settings were stored in the First Steps Wizard for Windows Update Management during the initial setup.

Navigate to the settings (System > Settings > Windows Update Management) or alternatively open them via the plugin by clicking 1733143232645-826.pngOpen in the ribbon bar.

Products

The settings you have already made in the First Steps Wizard are listed under Products. This allows you to adjust the configurations retrospectively and adapt them to updated conditions in your working environment. The listed products include:

68_CAWUM_Einstellungen_Produkte_1658.png

Settings for products, classifications and languages

If you need to add or deselect products, classifications or languages, you can make these changes conveniently on this page. To save, click 1733144384832-822.png Save in the ribbon bar.

Options

Update download options

Windows Update Management downloads the available updates to your File Repository in the background. The download is divided into two parts, with the metadata being downloaded via a separate job. These download options mainly concern how the setup files are downloaded. You can use the button to select the download type for the installation files:

Download typeDescription 
On Demand – only download if at least one Client needs the UpdateThis is the default setting, which is also recommended.
The download includes metadata containing all necessary information. However, the download of the setup files is only triggered when the client sends feedback. This means that only the setup files for updates that are required by at least one client are downloaded.

Hinweis  Note:  

You can also use the option Always download updates for these products and classifications to specify an additional criterion for obtaining further updates that might not otherwise be included in the defined process. Read more about this in the section on Special feature: Always download updates for these products and classifications.

67_CAWUM_Option nur herunterladen_497.png

Always - download all Updates

This setting downloads the setup files for all updates. This is also the case if they are not installed or required by any client.

Warning  Warning:  

Please note that this download type requires the most storage space, as all setup files are downloaded to your file repository. The storage space required here can quickly run into several 100 GB.

 67_CAWUM_Option immer herunterladen_578.png

If your file repository cannot provide the required storage space, we recommend that you move the ACMP Server to a file repository.

Hinweis  Note:  

Please note the free storage space on your distributed file repositories.
If you activate the Windows Updates content type, the setup files will be copied to the distributed file repositories depending on the sync profile

With the checkbox Only download updates newer than, you can specify a specific date for the downloads. To do this, activate the checkbox and select a date that sets the time limit.

67_CAWUM Einstellungen Update-Download-Optionen_1337.png

Update download Options

Special feature: Always download updates for these products and classifications

With the download type On Demand – only download if at least one client requires the update, you can configure an additional setting to define exceptions for updates that are not affected by the actual configuration. To do this, you must select the ‘Always download updates for these products and classifications’ checkbox. This allows you to define exceptions for which updates are always downloaded as soon as they are available and meet your criteria (the classifications).

With this setting, it is irrelevant that you have selected the On Demand type, as this is intended to ensure that all important updates (e.g. critical or security-related updates) can be made available promptly and distributed quickly to the clients.

67_CAWUM_Ausnahme Option Grafik_809.png

Procedure

Activate the option by first ticking the checkbox ‘Always download updates for these products and classifications’. This will make the lower section (Products and classifications) editable. Now select all entries that are to be combined with each other and thus included in the download type.

Hinweis  Note:  

This option allows you to specify explicit exceptions for which updates should still be downloaded.

Now select the entry from the products that you want to designate as an exception. In the following illustration, this is Microsoft Defender Antivirus. Now tick all the boxes under the classifications for the types of updates that you want to download. For Microsoft Defender, for example, only critical and security-related updates should always be downloaded.

67_CAWUM Download-Typ On Demand_932.png

On-demand settings for downloading updates

Hinweis  Note:  

You can specify a time frame in which updates may be downloaded. To do this, enter the number of months to be included in the download. The default value is 24 months.

Click on 1733143743698-898.png Save in the ribbon bar to save your changes. The adjustments will also download any updates that may not (yet) have been requested by the clients but which you have classified as important. This process is triggered in the background by the setup download, which is executed shortly afterwards.

This procedure ensures that critical security updates, for example, are downloaded in good time and are available as setup files when the updates are needed.

Warning  Warning:  

Be careful with the number of selected products and classifications for updates, as this can result in high storage space requirements and is equivalent to the option Always – download all updates.

Automatic declination of Windows Updates

This setting allows you to specify the number of days that must pass before an update that is no longer needed is automatically rejected. You defined the number entered here during the initial configuration in the First Steps Wizard. If you no longer wish to use this automatic function, uncheck the Automatically reject updates checkbox. 

Hinweis  Note:  

Checking this option helps ACMP to start cleaning itself after the time you have specified. Outdated updates, patches, etc. are automatically sorted out by this option. If you have implemented a functioning update process, you can leave the option deactivated.

Automatically accept Update EULAs

You can use this checkbox to automatically accept any update changes to the EULAs. The EULAs will then be automatically accepted as unread without you having to read the amended terms of use.

Warning  Warning:  

Automatically accepting EULAs may violate applicable law in your country.

Client Synchronization Options

The options for client synchronisation allow you to synchronise either rejected or withdrawn updates. If the Windows Update Scanner detects that a client requires a rejected or withdrawn update, this situation could be circumvented.

OptionDescription
Synchronize declined UpdatesRejected updates are additionally queried from the ACMP server. This allows a client to report installed or required rejected updates. For example, if it is suspected that a client urgently needs a rejected update to remain functional, this option could be selected.
Activating this option affects performance and data traffic, as a large number of additional updates are loaded into the system.
Synchronize revoked UpdatesWithdrawn updates are also queried from the ACMP server. Updates may be withdrawn by Microsoft for various reasons, e.g. if they cause problems or are outdated.
By activating this option, the withdrawn updates are reported to the ACMP server and can only be uninstalled via the console.

The reason for this is that certain updates are not synchronised with the clients by default, as this is intended to avoid problems and improve performance.
Tick the appropriate option as required. To save your changes, click 1733143922810-452.png Save.

67_CAWUM Einstellungen_Optionen2_1070.png

Windows Update Management settings

Third Party Catalogues

Third party catalogues can also be used to obtain updates from providers other than Microsoft.
These currently include updates from HP, Lenovo and Dell. Read more about third party catalogues here.

Test and Release

An important part of Windows Update Management is the automated distribution of selected updates. To do this, you need to define the test and release process that will be used for distribution. Here, you can assign the appropriate classifications to each product that is to be included, based on your own process. You can then define the transitions to the various test rings and the retention period that an update should adhere to. The latter option allows you to determine how quickly published updates and upgrades can be used and installed in your company.

Tip: Read the excurses How are products and classifications related in ACMP? to find out how the two areas influence each other.

With the delivery of ACMP, a default test and release process is defined, whereby updates are released directly.

Hinweis  Note:  

Please note that this is a standard testing and release process for Windows updates. Any Windows update that has not been explicitly assigned to a custom testing and release process will always be assigned to this process. For this reason, no filter settings are available for the default testing and release process.

To edit (1733144849912-156.png) (CTRL + E) or delete (1733144849912-908.png) (Del) an existing test and release process, click on the corresponding entry in the list and press the button for the respective action. When editing, a new window opens where you can edit the general information and content (products and classifications) or adjust the configuration again.

You can use the arrows on the side to move the priorities of the respective processes. Read more about this in the section Changing the priorities of test and release processes.

67_CAWUM EInstellungen_Übersicht Test- und Freigabeprozess_1059.png

Übersicht der Test- und Freigabeprozesse

Add test and release process

To add a new test and release process, click on the button (1733144928460-805.png) in the top bar or press the key combination CTRL + N in the open console. A wizard will open, where you can enter a name and description on the first page.  

Tip: Give the test and release process a unique name so that you can assign the correct process later on. It may be helpful to name the product, e.g. "Defender Test and Release Process" or "Office Test and Release Process", and create a separate process for each product/product collection.

67_Einstellungen_Test- und Freigabeprozess hinzufügen_966.png

Add general information about the testing and release process

Then click Next > to define the content of this testing and release process. On the next page, the selectable products and classifications are divided into two areas.

Hinweis  Note:  

Please note that you can ONLY select products that you have checked in the First Steps Wizard or later in the settings. If you notice that essential entries are missing here, you must cancel the wizard and add them before you can continue.

Tip: As already mentioned, it is advisable to create a separate testing and release process for each product/product group. Do not mix different products if different classifications involve different processes. It is better to create a separate process for each product with the respective classification so that you can determine the degree of distribution more individually.

In this example, the release process for the product Office > Microsoft 365 Apps/Office 2019/Office LTSC is to be determined. Therefore, tick this entry and select the classifications that are to be covered by it. If necessary, read here again to find out what type of update covers what. All types of "Updates" should be taken into account here (critical, definition, security updates, update rollups and updates). Click Next > again after you have activated all relevant checkboxes.

67_Einstellungen_Inhalte für Test und Freigabe_966.png

Define content for testing and release

On the last page, you must now define the test ring configuration. The structure of the rings stored here is similar and always follows the same sequence: The updates can be moved either manually or automatically (after a number of days specified by you) from No ring to Test ring 1 and Test ring 2 until they reach the release ring, where they are distributed and installed on all clients that meet the update requirements.

You can then view the respective distribution process and ring via the grid in Windows Update Management under the Updates tab. The two entries refer to the configurations you have made here and are listed as table entries.

All downloaded updates are initially located in No Ring. The radio buttons give you the following options:

No Ring

Manually move updates to the next ring.The update will only be postponed if you manually move it to the next ring.
Automatically move updates to test ring 1.Here, you can specify the waiting period in days, i.e. how long an update must have been in this ring before it is automatically moved to test ring 1.

Skip this ring and move updates directly to the next ring after reaching the distribution status Synchronisation or Synchronised.

The status of the downloaded files in the file repository is decisive here. If the files have already been distributed to the relevant file repositories, the distribution status is Synchronised, as they are available for retrieval.

Synchronisation means that the process is still running or currently taking place because the files are being queued and are not yet fully available.

Hinweis  Note:  

If the file repository is still synchronising, it may be that the files are not transferred because it has not yet received the requested data. In this case, you should wait a little while before the status changes.

After the updates from No Ring have been moved to Test Ring 1, you must define the further course of action:

Test ring 1

Manually move updates to the next ring.The update will only be postponed if you manually move it to the next ring.
Automatically move updates to test ring 2.Specify here after how many days the updates should be automatically moved to test ring 2. The waiting time must be entered in days.
Once the installation files are available, skip this ring and move updates directly to the next ring.In this case, this ring is skipped and updates are moved to the next ring.

Test ring 2

Manually move updates to the next ring.The update will only be postponed if you manually move it to the next ring.
Automatically move updates to the release ring.Here, you specify after how many days the updates should be moved to the release ring.
Once the installation files are available, skip this ring and move updates directly to the next ring.In this case, this ring is skipped and updates are moved to the next ring.

All updates that have now passed through the distribution rings are now in the release ring. The release ring is the final stage before the updates are distributed and installed on the clients.

Hinweis  Note:  

Updates are only distributed to and installed on a client if it meets all the requirements (e.g. the appropriate operating system, the client reports the update as required, or the EULA must be activated).

67_Einstellungen_Test- und Freigabeprozess Konfiguration_966.png

Example configuration of a test and release ring

Finish the configurations and click Done. The newly added process is now listed in the overview and can be distributed.

After this configuration, the result would be as follows:

All updates released by Microsoft for the product Microsoft 365 Apps/Office 2019/Office LTSC with the classifications Critical, Definition, Security Updates, Update Rollups and Updates would first be placed in Test Ring 1 after you downloaded them. They would remain there for seven days until they were transferred to Test Ring 2 and finally released after another seven days.

Hinweis  Note:  

Microsoft has a fixed update cycle according to which new releases are made available. Read the section „Update cycle: How does the update from Microsoft get to the ACMP Client?“ to find out which steps are taken in each case and how the testing and release processes affect this.

Changing the priorities of test and release processes

You can change the priorities of test and release processes if the same products appear in different processes. The priority determines which updates can be distributed first.

You can see the priority of each process in the table on the left. The numbers below the asterisk column indicate the type of priority. Prioritisation works as follows: the smaller the number, the higher the priority. Change the order by using the arrows (1733145433176-476.png ,1733145433176-745.png ,1733145433176-934.png ,1733145433177-660.png ) to move the processes to the appropriate position.

Example: The product Microsoft Defender Antivirus (Windows > Microsoft Defender Antivirus) is selected/used in both the "Microsoft Security Updates" and "Defender Testing and Release Process" processes. "Microsoft Security Updates" has priority 1, while the "Defender Test and Release Process" has priority 6. Since there is only one assignment within the test and release process, the one with the highest priority is selected. The updates are therefore distributed via the "Microsoft Security Updates" process.

67_CAWUM Priorität Test- und Freigabeprozess_461.png

Change priorities of testing and release processes

© Aagon GmbH 2025
Besuchen Sie unsere Aagon-Community