Anavem
EnglishFrancais
Anavem
Languagefr
How to Deploy Windows 11 KB5079391 Update Using WSUS and Group Policy

How to Deploy Windows 11 KB5079391 Update Using WSUS and Group Policy

Deploy Microsoft's KB5079391 preview update across Windows 11 24H2/25H2 enterprise environments using WSUS approval workflows, deployment rings, and automated rollback procedures.

April 22, 2026 15 min
mediumwsus 8 steps 15 min

Why Deploy KB5079391 Through WSUS Instead of Direct Installation?

Microsoft's KB5079391 represents a significant cumulative update for Windows 11 24H2 and 25H2 systems, bringing 29 improvements including Smart App Control enhancements and display optimizations. While individual systems can download this update directly from Windows Update, enterprise environments require controlled, phased deployment strategies to minimize business disruption and ensure system stability across hundreds or thousands of endpoints.

WSUS (Windows Server Update Services) combined with Group Policy provides the enterprise-grade control needed for large-scale update deployment. This approach allows you to test updates on pilot systems, create deployment rings for gradual rollout, and maintain centralized visibility into installation progress. Most importantly, it gives you the ability to halt deployment immediately if issues arise and implement automated rollback procedures across your entire fleet.

What Makes KB5079391 Different from Previous Updates?

This April 2026 Patch Tuesday release includes automated PowerShell remediation capabilities for fleet-wide management, addressing installation issues that plagued previous updates like KB5074109 and KB5078127. However, the update still requires careful deployment planning due to its size and the critical nature of the security fixes it contains. The update targets Windows 11 24H2 systems primarily, with enterprise testing phases extending to 25H2 environments.

Unlike smaller monthly updates, KB5079391 includes both security patches and feature improvements, making thorough testing essential before broad deployment. The update also requires the latest Servicing Stack Update (SSU) to be installed first, which WSUS handles automatically when properly configured. Understanding these dependencies and implementing proper deployment rings ensures your organization can benefit from the security improvements while maintaining system stability and user productivity.

Implementation Guide

Full Procedure

01

Configure WSUS Server and Sync KB5079391

Start by ensuring your WSUS server can download and distribute KB5079391. Open the WSUS Administration Console and navigate to the synchronization settings.

# Open WSUS Console or use PowerShell
Get-WsusServer | Get-WsusSubscription | Start-WsusServerSynchronization

Navigate to Options > Products and Classifications. Ensure these are selected:

  • Products: Windows 11, version 24H2 and later versions
  • Classifications: Security Updates, Critical Updates, Update Rollups

Force a manual sync by going to Options > Synchronization Schedule > Synchronize Now. This process typically takes 15-30 minutes depending on your connection.

Pro tip: Enable automatic synchronization daily at 2 AM to catch future updates automatically. Set this under Synchronization Schedule.

Verification: After sync completes, navigate to Updates > All Updates and search for "KB5079391". You should see the update listed with a status of "Not Approved".

02

Create Deployment Ring Computer Groups

Establish deployment rings to control the rollout pace. In WSUS Console, navigate to Computers > All Computers and create new computer groups.

Right-click All Computers > Add Computer Group and create these groups:

  • Pilot Ring - 5-10% of your environment
  • Early Adopters - 25% of remaining systems
  • Broad Deployment - All remaining production systems

Configure Group Policy to automatically assign computers to these groups. Create a new GPO called "WSUS Computer Group Assignment":

# Navigate to: Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks
# Create a startup script that runs:
wuauclt /detectnow
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v TargetGroup /t REG_SZ /d "Pilot Ring" /f

Link this GPO to your pilot OU containing test machines. Create similar GPOs for other rings with appropriate TargetGroup values.

Warning: Never deploy directly to Domain Controllers or critical infrastructure servers without extensive testing in isolated environments first.

Verification: Run gpupdate /force on a test machine, then check WSUS Console after 10-15 minutes. The computer should appear in the correct group.

03

Configure Windows Update Group Policy Settings

Create a comprehensive Group Policy to control how clients interact with your WSUS server. Open Group Policy Management and create a new GPO called "Windows Update - WSUS Configuration".

Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update and configure these settings:

Specify intranet Microsoft update service location:
- Enabled
- Intranet update service: http://your-wsus-server:8530
- Intranet statistics server: http://your-wsus-server:8530

Configure Automatic Updates:
- Enabled
- Configure automatic updating: 4 - Auto download and schedule install
- Scheduled install day: Every day
- Scheduled install time: 03:00

Allow signed updates from an intranet Microsoft update service location:
- Enabled

Do not connect to any Windows Update Internet locations:
- Enabled

For deployment ring control, configure these additional settings:

Select when Preview Builds and Feature Updates are received:
- Enabled
- Windows readiness level: Semi-Annual Channel
- Defer feature updates: 365 days (for production rings)

Select when Quality Updates are received:
- Enabled
- Defer quality updates: 0 days (Pilot), 7 days (Early), 14 days (Broad)

Verification: On a test client, run gpupdate /force then gpresult /r to confirm policy application. Check Windows Update settings show your WSUS server.

04

Approve KB5079391 for Pilot Deployment

Now approve the update for your pilot ring. In WSUS Console, navigate to Updates > All Updates and locate KB5079391. You can filter by "Security Updates" and "Unapproved" status to find it quickly.

Right-click KB5079391 and select Approve. In the approval dialog:

  • Select Pilot Ring computer group
  • Choose Approved for Install
  • Set deadline: 7 days from now
  • Leave other groups as "Not Approved"
# Alternative: Use PowerShell for approval
$wsus = Get-WsusServer
$update = $wsus.GetUpdates() | Where-Object {$_.KnowledgebaseArticles -contains "5079391"}
$pilotGroup = $wsus.GetComputerTargetGroups() | Where-Object {$_.Name -eq "Pilot Ring"}
$update.Approve("Install", $pilotGroup)

Monitor the approval process in Update Services > Server Name > Updates > Update Status Summary. You should see the update move from "Unapproved" to "Approved" status.

Pro tip: Set up email notifications for update approvals by configuring SMTP settings under Options > E-Mail Notifications. This helps track deployment progress automatically.

Verification: Check that pilot machines receive the update by running wuauclt /detectnow on a pilot system, then checking Windows Update history.

05

Monitor Pilot Installation and Gather Feedback

Monitor the pilot deployment closely for the first 48-72 hours. Use WSUS reporting and PowerShell to track installation progress and identify issues.

Generate installation reports in WSUS Console:

  1. Navigate to Reports > Update Reports > Update Status Summary
  2. Select KB5079391 and Pilot Ring computer group
  3. Run the report to see installation status breakdown

Use PowerShell to check installation status across pilot machines:

# Check update installation status on remote machines
$pilotComputers = @("PC001", "PC002", "PC003")  # Replace with actual hostnames
foreach ($computer in $pilotComputers) {
    try {
        $hotfix = Invoke-Command -ComputerName $computer -ScriptBlock {
            Get-HotFix | Where-Object {$_.HotFixID -eq "KB5079391"}
        }
        if ($hotfix) {
            Write-Host "$computer: KB5079391 installed on $($hotfix.InstalledOn)" -ForegroundColor Green
        } else {
            Write-Host "$computer: KB5079391 not installed" -ForegroundColor Yellow
        }
    } catch {
        Write-Host "$computer: Connection failed - $($_.Exception.Message)" -ForegroundColor Red
    }
}

Monitor for common issues like system freezes or application compatibility problems. Create a feedback collection process using:

  • Event Viewer logs (System and Application)
  • User-reported issues through helpdesk tickets
  • Automated health checks via PowerShell scripts
Warning: If more than 10% of pilot systems experience issues, halt the deployment immediately and investigate. Common problems include system freezes similar to previous updates like KB5074109.

Verification: Confirm successful installation by checking that pilot systems show the update in Settings > Windows Update > Update History and system stability remains normal after 72 hours.

06

Deploy to Broader Rings After Pilot Success

After confirming pilot success (typically 5-7 days), expand deployment to your Early Adopters ring, then to Broad Deployment. Return to WSUS Console and modify the approval for KB5079391.

Right-click KB5079391 and select Approve. Update the approval settings:

  • Early Adopters: Approved for Install with 5-day deadline
  • Keep Pilot Ring as approved
  • Leave Broad Deployment as "Not Approved" for now

Use PowerShell to automate the phased rollout:

# Approve for Early Adopters ring
$wsus = Get-WsusServer
$update = $wsus.GetUpdates() | Where-Object {$_.KnowledgebaseArticles -contains "5079391"}
$earlyGroup = $wsus.GetComputerTargetGroups() | Where-Object {$_.Name -eq "Early Adopters"}
$update.Approve("Install", $earlyGroup)

# Set deadline (optional)
$deadline = (Get-Date).AddDays(5)
$update.Approve("Install", $earlyGroup, $deadline)

Monitor Early Adopters deployment for 3-5 days, then proceed to Broad Deployment if no issues arise. For the final phase:

# Final approval for Broad Deployment
$broadGroup = $wsus.GetComputerTargetGroups() | Where-Object {$_.Name -eq "Broad Deployment"}
$update.Approve("Install", $broadGroup)

Track overall deployment progress using WSUS reports. Generate weekly status reports showing installation percentages across all rings.

Verification: Use the Update Status Summary report to confirm deployment reaches target percentages: 100% Pilot, 95%+ Early Adopters, and 90%+ Broad Deployment within your defined timeframes.

07

Implement Automated Rollback Procedures

Prepare automated rollback capabilities before broad deployment. Create PowerShell scripts and Group Policy configurations to quickly remove KB5079391 if critical issues emerge.

Create a rollback script that can be deployed via Group Policy startup scripts:

# Save as Remove-KB5079391.ps1
param(
    [switch]$Force,
    [switch]$NoRestart
)

# Check if update is installed
$update = Get-HotFix | Where-Object {$_.HotFixID -eq "KB5079391"}
if (-not $update) {
    Write-Host "KB5079391 not found on this system" -ForegroundColor Yellow
    exit 0
}

try {
    Write-Host "Removing KB5079391..." -ForegroundColor Yellow
    
    # Method 1: Using wusa.exe
    $process = Start-Process -FilePath "wusa.exe" -ArgumentList "/uninstall /kb:5079391 /quiet $(if($NoRestart){'/norestart'})" -Wait -PassThru
    
    if ($process.ExitCode -eq 0) {
        Write-Host "KB5079391 removed successfully" -ForegroundColor Green
        
        # Log the removal
        $logEntry = "$(Get-Date): KB5079391 removed from $env:COMPUTERNAME"
        Add-Content -Path "C:\Windows\Temp\KB5079391_Removal.log" -Value $logEntry
        
        if (-not $NoRestart) {
            Write-Host "System will restart in 60 seconds..." -ForegroundColor Yellow
            shutdown /r /t 60 /c "KB5079391 removal requires restart"
        }
    } else {
        throw "wusa.exe failed with exit code $($process.ExitCode)"
    }
} catch {
    Write-Error "Failed to remove KB5079391: $($_.Exception.Message)"
    exit 1
}

Deploy the rollback script via Group Policy when needed:

  1. Copy the script to SYSVOL: \domain.com\SYSVOL\domain.com\scripts\
  2. Create a new GPO called "Emergency KB5079391 Rollback"
  3. Navigate to Computer Configuration > Windows Settings > Scripts > Startup
  4. Add the PowerShell script with appropriate parameters
Pro tip: Test the rollback script on a dedicated test machine before creating the GPO. Ensure it works in both normal mode and Safe Mode scenarios.

For immediate rollback across multiple systems, use PowerShell remoting:

# Emergency fleet rollback
$computers = Get-ADComputer -Filter "OperatingSystem -like '*Windows 11*'" | Select-Object -ExpandProperty Name
Invoke-Command -ComputerName $computers -ScriptBlock {
    wusa.exe /uninstall /kb:5079391 /quiet /norestart
} -ThrottleLimit 10

Verification: Test rollback procedures on pilot systems first. Confirm the update is removed by checking Get-HotFix output and Windows Update history.

08

Monitor and Report Deployment Status

Establish comprehensive monitoring and reporting for the entire deployment lifecycle. Create automated reports that track installation progress, failures, and system health post-deployment.

Set up automated WSUS reporting using PowerShell:

# Create daily deployment status report
$wsus = Get-WsusServer
$update = $wsus.GetUpdates() | Where-Object {$_.KnowledgebaseArticles -contains "5079391"}

# Get installation statistics
$groups = $wsus.GetComputerTargetGroups()
$report = @()

foreach ($group in $groups) {
    if ($group.Name -in @("Pilot Ring", "Early Adopters", "Broad Deployment")) {
        $computers = $group.GetComputerTargets()
        $total = $computers.Count
        
        $installed = 0
        $failed = 0
        $pending = 0
        
        foreach ($computer in $computers) {
            $status = $computer.GetUpdateInstallationInfoPerUpdate($update)
            switch ($status.UpdateInstallationState) {
                "Installed" { $installed++ }
                "Failed" { $failed++ }
                "NotInstalled" { $pending++ }
            }
        }
        
        $report += [PSCustomObject]@{
            Group = $group.Name
            Total = $total
            Installed = $installed
            Failed = $failed
            Pending = $pending
            SuccessRate = if($total -gt 0) { [math]::Round(($installed / $total) * 100, 2) } else { 0 }
        }
    }
}

# Generate HTML report
$html = $report | ConvertTo-Html -Title "KB5079391 Deployment Status" -PreContent "
KB5079391 Deployment Report - $(Get-Date)
"
$html | Out-File "C:\Reports\KB5079391_Status_$(Get-Date -Format 'yyyyMMdd').html"

Create a monitoring dashboard that tracks:

  • Installation success rates by deployment ring
  • Failed installations with error codes
  • System stability metrics post-installation
  • Help desk ticket volume related to the update

Set up email alerts for critical thresholds:

# Alert if failure rate exceeds 5%
foreach ($ring in $report) {
    $failureRate = if($ring.Total -gt 0) { ($ring.Failed / $ring.Total) * 100 } else { 0 }
    
    if ($failureRate -gt 5) {
        $subject = "ALERT: High KB5079391 failure rate in $($ring.Group)"
        $body = "Failure rate: $failureRate% ($($ring.Failed)/$($ring.Total) systems)"
        Send-MailMessage -To "admin@company.com" -Subject $subject -Body $body -SmtpServer "mail.company.com"
    }
}
Warning: Monitor for Error 0x80240069 during WSUS deployment, which has been seen with similar security updates. If encountered, restart the WSUS service and manually import the update from Microsoft Update Catalog.

Verification: Confirm monitoring is working by checking that reports generate correctly and alert thresholds trigger appropriate notifications during test scenarios.

Frequently Asked Questions

What happens if KB5079391 causes system freezes like previous Windows 11 updates?+
If KB5079391 causes system freezes similar to KB5074109 or KB5078127, immediately boot affected systems into Safe Mode and run the uninstall command 'wusa.exe /uninstall /kb:5079391 /quiet /norestart'. For fleet-wide issues, deploy the PowerShell rollback script via Group Policy startup scripts to automatically remove the update from all affected systems. Always ensure System Restore is enabled before deployment to provide an additional recovery option.
How do I handle WSUS Error 0x80240069 when deploying KB5079391?+
Error 0x80240069 typically occurs when WSUS cannot properly sync or approve security updates. First, restart the WSUS service using 'Restart-Service wsusservice' in PowerShell. If the error persists, manually download KB5079391 from the Microsoft Update Catalog and import it directly into WSUS. Check that your WSUS server has sufficient disk space and that the Products and Classifications settings include Windows 11 24H2 and Security Updates.
Can I deploy KB5079391 to Windows 11 25H2 systems through the same WSUS configuration?+
Yes, KB5079391 applies to both Windows 11 24H2 and 25H2 systems as it's a cumulative security update. Ensure your WSUS Products settings include both 'Windows 11, version 24H2' and any 25H2 classifications when they become available. The same deployment rings and Group Policy configurations work across both versions, but test on 25H2 systems separately in your pilot ring to verify compatibility.
What's the difference between deploying KB5079391 standalone versus the combined SSU package?+
KB5079391 may come as a combined package with the latest Servicing Stack Update (SSU) for reliable installation. When deploying through WSUS, the combined package is preferred as it ensures proper installation order. If you download the standalone .msu from Microsoft Update Catalog, verify that target systems have the latest SSU installed first. Note that SSU components cannot be uninstalled once installed, so the rollback procedures only affect the cumulative update portion.
How long should I wait between deployment ring phases for KB5079391?+
Wait 5-7 days after pilot ring deployment before moving to Early Adopters, monitoring for system stability, application compatibility issues, and user-reported problems. Allow 3-5 days between Early Adopters and Broad Deployment phases. For critical security updates like KB5079391, you can accelerate the timeline to 3-5 days for pilot and 2-3 days for early adopters if no issues are detected. Always maintain at least 72 hours of monitoring after each phase to catch delayed issues like system freezes or performance degradation.
Tags
#wsus#group-policy#windows-update

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Deploy Phishing-Resistant Passwordless Auth in Microsoft Entra ID
tutorial
Cybersecurity

How to Deploy Phishing-Resistant Passwordless Auth in Microsoft Entra ID

Deep Dive
How to Configure Maintenance Windows in Microsoft Intune for Update Control
tutorial
Cloud Computing

How to Configure Maintenance Windows in Microsoft Intune for Update Control

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account