Windows Update Management
Within the Windows Update Management settings, you can subsequently make changes to settings already set for products and classifications and configure the testing and release processes. This makes it possible to remove or add further products and classifications at a later date, as well as to take language adjustments into account. If your selection of hardware manufacturers is expanded, you can also include additional third-party providers at a later stage and select them via the settings and include them in the meta and setup data download.
The settings were stored in the First Steps Wizard for Windows Update Management during the initial setup.
Navigate to the settings (System > Settings > Windows Update Management) or alternatively open them via the plugin by clicking 
Open in the ribbon bar.
Products
The settings you have already made in the First Steps Wizard are listed under Products. This allows you to adjust the configurations retrospectively and adapt them to updated conditions in your working environment. The listed products include:
- Products
- Classifications
- Languages (as well as Microsoft 365 app languages and additional correction tools)
Settings for products, classifications and languages
If you need to add or deselect products, classifications or languages, you can make these changes conveniently on this page. To save, click 
Save in the ribbon bar.
Options
Update download options
Windows Update Management downloads the available updates to your File Repository in the background. The download is divided into two parts, with the metadata being downloaded via a separate job. These download options mainly concern how the setup files are downloaded. You can use the button to select the download type for the installation files:
| Download type | Description | |
| On Demand – only download if at least one Client needs the Update | This is the default setting, which is also recommended. The download includes metadata containing all necessary information. However, the download of the setup files is only triggered when the client sends feedback. This means that only the setup files for updates that are required by at least one client are downloaded.
You can also use the option Always download updates for these products and classifications to specify an additional criterion for obtaining further updates that might not otherwise be included in the defined process. Read more about this in the section on Special feature: Always download updates for these products and classifications. |
|
| Always - download all Updates | This setting downloads the setup files for all updates. This is also the case if they are not installed or required by any client.
Please note that this download type requires the most storage space, as all setup files are downloaded to your file repository. The storage space required here can quickly run into several 100 GB. |  |
If your file repository cannot provide the required storage space, we recommend that you move the ACMP Server to a file repository.
Note:
Please note the free storage space on your distributed file repositories.
If you activate the Windows Updates content type, the setup files will be copied to the distributed file repositories depending on the sync profile.
With the checkbox Only download updates newer than, you can specify a specific date for the downloads. To do this, activate the checkbox and select a date that sets the time limit.
Update download Options
Special feature: Always download updates for these products and classifications
With the download type On Demand – only download if at least one client requires the update, you can configure an additional setting to define exceptions for updates that are not affected by the actual configuration. To do this, you must select the ‘Always download updates for these products and classifications’ checkbox. This allows you to define exceptions for which updates are always downloaded as soon as they are available and meet your criteria (the classifications).
With this setting, it is irrelevant that you have selected the On Demand type, as this is intended to ensure that all important updates (e.g. critical or security-related updates) can be made available promptly and distributed quickly to the clients.
Procedure
Activate the option by first ticking the checkbox ‘Always download updates for these products and classifications’. This will make the lower section (Products and classifications) editable. Now select all entries that are to be combined with each other and thus included in the download type.
Note:
This option allows you to specify explicit exceptions for which updates should still be downloaded.
Now select the entry from the products that you want to designate as an exception. In the following illustration, this is Microsoft Defender Antivirus. Now tick all the boxes under the classifications for the types of updates that you want to download. For Microsoft Defender, for example, only critical and security-related updates should always be downloaded.
On-demand settings for downloading updates
Note:
You can specify a time frame in which updates may be downloaded. To do this, enter the number of months to be included in the download. The default value is 24 months.
Click on 
Save in the ribbon bar to save your changes. The adjustments will also download any updates that may not (yet) have been requested by the clients but which you have classified as important. This process is triggered in the background by the setup download, which is executed shortly afterwards.
This procedure ensures that critical security updates, for example, are downloaded in good time and are available as setup files when the updates are needed.
Warning:
Be careful with the number of selected products and classifications for updates, as this can result in high storage space requirements and is equivalent to the option Always – download all updates.
Automatic declination of Windows Updates
This setting allows you to specify the number of days that must pass before an update that is no longer needed is automatically rejected. You defined the number entered here during the initial configuration in the First Steps Wizard. If you no longer wish to use this automatic function, uncheck the Automatically reject updates checkbox.
Note:
Checking this option helps ACMP to start cleaning itself after the time you have specified. Outdated updates, patches, etc. are automatically sorted out by this option. If you have implemented a functioning update process, you can leave the option deactivated.
Automatically accept Update EULAs
You can use this checkbox to automatically accept any update changes to the EULAs. The EULAs will then be automatically accepted as unread without you having to read the amended terms of use.
Warning:
Automatically accepting EULAs may violate applicable law in your country.
Client Synchronization Options
The options for client synchronisation allow you to synchronise either rejected or withdrawn updates. If the Windows Update Scanner detects that a client requires a rejected or withdrawn update, this situation could be circumvented.
| Option | Description |
| Synchronize declined Updates | Rejected updates are additionally queried from the ACMP server. This allows a client to report installed or required rejected updates. For example, if it is suspected that a client urgently needs a rejected update to remain functional, this option could be selected. Activating this option affects performance and data traffic, as a large number of additional updates are loaded into the system. |
| Synchronize revoked Updates | Withdrawn updates are also queried from the ACMP server. Updates may be withdrawn by Microsoft for various reasons, e.g. if they cause problems or are outdated. By activating this option, the withdrawn updates are reported to the ACMP server and can only be uninstalled via the console. |
The reason for this is that certain updates are not synchronised with the clients by default, as this is intended to avoid problems and improve performance.
Tick the appropriate option as required. To save your changes, click 
Save.
Windows Update Management settings
Third Party Catalogues
Third party catalogues can also be used to obtain updates from providers other than Microsoft.
These currently include updates from HP, Lenovo and Dell. Read more about third party catalogues here.
Test and Release
An important part of Windows Update Management is the automated distribution of selected updates. To do this, you need to define the test and release process that will be used for distribution. Here, you can assign the appropriate classifications to each product that is to be included, based on your own process. You can then define the transitions to the various test rings and the retention period that an update should adhere to. The latter option allows you to determine how quickly published updates and upgrades can be used and installed in your company.
Tip: Read the excurses How are products and classifications related in ACMP? to find out how the two areas influence each other.
With the delivery of ACMP, a default test and release process is defined, whereby updates are released directly.
Note:
Please note that this is a standard testing and release process for Windows updates. Any Windows update that has not been explicitly assigned to a custom testing and release process will always be assigned to this process. For this reason, no filter settings are available for the default testing and release process.
To edit (
) (CTRL + E) or delete (
) (Del) an existing test and release process, click on the corresponding entry in the list and press the button for the respective action. When editing, a new window opens where you can edit the general information and content (products and classifications) or adjust the configuration again.
You can use the arrows on the side to move the priorities of the respective processes. Read more about this in the section Changing the priorities of test and release processes.
Übersicht der Test- und Freigabeprozesse
Add test and release process
To add a new test and release process, click on the button (
) in the top bar or press the key combination CTRL + N in the open console. A wizard will open, where you can enter a name and description on the first page.
Tip: Give the test and release process a unique name so that you can assign the correct process later on. It may be helpful to name the product, e.g. "Defender Test and Release Process" or "Office Test and Release Process", and create a separate process for each product/product collection.
Add general information about the testing and release process
Then click Next > to define the content of this testing and release process. On the next page, the selectable products and classifications are divided into two areas.
Note:
Please note that you can ONLY select products that you have checked in the First Steps Wizard or later in the settings. If you notice that essential entries are missing here, you must cancel the wizard and add them before you can continue.
Tip: As already mentioned, it is advisable to create a separate testing and release process for each product/product group. Do not mix different products if different classifications involve different processes. It is better to create a separate process for each product with the respective classification so that you can determine the degree of distribution more individually.
In this example, the release process for the product Office > Microsoft 365 Apps/Office 2019/Office LTSC is to be determined. Therefore, tick this entry and select the classifications that are to be covered by it. If necessary, read here again to find out what type of update covers what. All types of "Updates" should be taken into account here (critical, definition, security updates, update rollups and updates). Click Next > again after you have activated all relevant checkboxes.
Define content for testing and release
On the last page, you must now define the test ring configuration. The structure of the rings stored here is similar and always follows the same sequence: The updates can be moved either manually or automatically (after a number of days specified by you) from No ring to Test ring 1 and Test ring 2 until they reach the release ring, where they are distributed and installed on all clients that meet the update requirements.
You can then view the respective distribution process and ring via the grid in Windows Update Management under the Updates tab. The two entries refer to the configurations you have made here and are listed as table entries.
All downloaded updates are initially located in No Ring. The radio buttons give you the following options:
No Ring
| Manually move updates to the next ring. | The update will only be postponed if you manually move it to the next ring. |
| Automatically move updates to test ring 1. | Here, you can specify the waiting period in days, i.e. how long an update must have been in this ring before it is automatically moved to test ring 1. |
Skip this ring and move updates directly to the next ring after reaching the distribution status Synchronisation or Synchronised. | The status of the downloaded files in the file repository is decisive here. If the files have already been distributed to the relevant file repositories, the distribution status is Synchronised, as they are available for retrieval. Synchronisation means that the process is still running or currently taking place because the files are being queued and are not yet fully available.
If the file repository is still synchronising, it may be that the files are not transferred because it has not yet received the requested data. In this case, you should wait a little while before the status changes. |
After the updates from No Ring have been moved to Test Ring 1, you must define the further course of action:
Test ring 1
| Manually move updates to the next ring. | The update will only be postponed if you manually move it to the next ring. |
| Automatically move updates to test ring 2. | Specify here after how many days the updates should be automatically moved to test ring 2. The waiting time must be entered in days. |
| Once the installation files are available, skip this ring and move updates directly to the next ring. | In this case, this ring is skipped and updates are moved to the next ring. |
Test ring 2
| Manually move updates to the next ring. | The update will only be postponed if you manually move it to the next ring. |
| Automatically move updates to the release ring. | Here, you specify after how many days the updates should be moved to the release ring. |
| Once the installation files are available, skip this ring and move updates directly to the next ring. | In this case, this ring is skipped and updates are moved to the next ring. |
All updates that have now passed through the distribution rings are now in the release ring. The release ring is the final stage before the updates are distributed and installed on the clients.
Note:
Updates are only distributed to and installed on a client if it meets all the requirements (e.g. the appropriate operating system, the client reports the update as required, or the EULA must be activated).
Example configuration of a test and release ring
Finish the configurations and click Done. The newly added process is now listed in the overview and can be distributed.
After this configuration, the result would be as follows:
All updates released by Microsoft for the product Microsoft 365 Apps/Office 2019/Office LTSC with the classifications Critical, Definition, Security Updates, Update Rollups and Updates would first be placed in Test Ring 1 after you downloaded them. They would remain there for seven days until they were transferred to Test Ring 2 and finally released after another seven days.
Note:
Microsoft has a fixed update cycle according to which new releases are made available. Read the section „Update cycle: How does the update from Microsoft get to the ACMP Client?“ to find out which steps are taken in each case and how the testing and release processes affect this.
Changing the priorities of test and release processes
You can change the priorities of test and release processes if the same products appear in different processes. The priority determines which updates can be distributed first.
You can see the priority of each process in the table on the left. The numbers below the asterisk column indicate the type of priority. Prioritisation works as follows: the smaller the number, the higher the priority. Change the order by using the arrows (
,
,
,
) to move the processes to the appropriate position.
Example: The product Microsoft Defender Antivirus (Windows > Microsoft Defender Antivirus) is selected/used in both the "Microsoft Security Updates" and "Defender Testing and Release Process" processes. "Microsoft Security Updates" has priority 1, while the "Defender Test and Release Process" has priority 6. Since there is only one assignment within the test and release process, the one with the highest priority is selected. The updates are therefore distributed via the "Microsoft Security Updates" process.
Change priorities of testing and release processes