Windows Updates

Windows Update on home vs managed PCs

Practical Windows guide: windows Update on home vs managed PCs without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Windows library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Understand how Windows Update behaves on a home PC versus a domain- or Intune-managed machine, and where to change settings on each.

1) Home and unmanaged PCs

  1. Updates come directly from Microsoft via Settings → Windows Update.
  2. You control pause duration, active hours, and optional feature update timing (within what Microsoft allows on Home).
  3. There is no local WSUS server — the PC talks to Windows Update servers on the internet.

2) Domain-joined PCs (WSUS / Group Policy)

  1. Administrators point clients to a WSUS server via Group Policy: Computer Configuration → Administrative Templates → Windows Components → Windows Update → Specify intranet Microsoft update service location.
  2. Approved updates download from the internal WSUS server, not directly from the internet.
  3. Check policy status: Win + Rrsop.msc (Resultant Set of Policy) or gpresult /h C:\gpreport.html.

3) Microsoft Intune / Entra-managed PCs

  1. Update rings and deferrals are set in the Intune admin centre, not locally.
  2. On the PC, open Settings → Accounts → Access work or school to see enrolment.
  3. Some options in Windows Update show Some settings are managed by your organisation.

4) Verify update source on any PC

Admin PowerShell:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue | Select-Object WUServer, WUStatusServer

If WUServer is set, the PC uses WSUS. Empty values mean direct Windows Update.

5) Intune Windows Update rings

  1. Admins assign devices to rings (Pilot, Broad) with different deferral and deadline policies.
  2. On device: Settings → Accounts → Access work or school → Connected to <org> → Info shows sync status.

6) Force policy refresh on client

gpupdate /force
UsoClient StartScan

7) Delivery Optimization on work PCs

  1. Settings → Windows Update → Advanced options → Delivery Optimization — domain PCs may disable peer caching via policy.
  2. Verify: Get-DeliveryOptimizationStatus in PowerShell.

8) Windows Update for Business without WSUS

Small business can use Intune cloud policy without hosting WSUS — devices still talk to Microsoft CDN but deferrals apply via cloud MDM.

  1. Hybrid: WSUS for LAN caching plus cloud policy for deferral rings.
  2. Verify dual stack: USOClient StartScan after policy change.

Verification checklist

Document whether WUServer registry key is empty on home PCs and populated on managed ones. Screenshot Settings showing organisation-managed message for audit trail on work laptops.

  1. Reboot once after changes that affect services, drivers, or firmware.
  2. Confirm the original problem is resolved under normal daily use, not only immediately after the fix.
  3. Note date, Windows version (Settings → System → About), and what changed in your personal runbook for next time.

Related guides

update vs windows wsus

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Updates
Pause or defer Windows updates
Practical Windows guide: pause or defer Windows updates without the usual guesswork.
Read guide
Updates
Update device drivers safely
Practical Windows guide: update device drivers safely without the usual guesswork.
Read guide