The point of an update policy is to make the update process predictable, with procedures for notifying users so that they can plan their work accordingly and avoid unexpected downtime. The policy needs to address several distinct types of updates.
The most familiar are the monthly cumulative security and reliability updates that are delivered on the second Tuesday of each month (aka Patch Tuesday). The Patch Tuesday release typically also includes the Windows Malicious Software Removal Tool and may include any of the following additional types of updates:
- Security updates for .NET Framework
- Security updates for Adobe Flash Player
- Servicing stack updates (which must be installed before other updates)
The update policy should include the following elements for each managed PC:
- When to install monthly updates: Using the default Windows settings, monthly updates are downloaded and installed within 24 hours of their release on Patch Tuesday;
- When to install semi-annual feature updates: Using the default Windows settings, feature updates are downloaded and installed when Microsoft says they’re ready.
- When to allow PCs to restart to complete installation of updates: Most updates require a restart to complete installation.
- How to notify PC users of pending updates and restarts: To avoid unpleasant surprises, Windows 10 notifies users when updates are pending.
- How to handle out-of-band updates: Occasionally, Microsoft releases critical security updates outside of its normal Patch Tuesday schedule. Typically, these are intended to address security vulnerabilities that are being exploited «in the wild.»
Managing updates manually
To configure Windows Update manually you need to start at Settings > Update & Security > Windows Update. There, you can adjust two groups of settings.
First, click Change Active Hours and adjust the settings to reflect your actual work habits.
Next, click Advanced Options and adjust the settings under the Choose When Updates Are Installed heading to reflect your policy.
- Choose how many days to delay installation of feature updates. The maximum value is 365 days.
- Choose how many days to delay installation of quality updates, including the cumulative security updates released on Patch Tuesday. The maximum value is 30 days.
Other settings on this page control the display of restart notifications (on by default) and whether to allow updates to download on metered connections (off by default).
Managing updates using Group Policy
A significant number of policies are exclusively for Windows 10. The most important are those associated with the Windows Update for Business feature, which are located in Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business.
- Select when Preview Builds and Feature Updates are received: Choose a servicing channel and set delays for feature updates.
- Select when Quality Updates are received: Set delays for monthly cumulative updates and other security-related updates.
- Manage preview builds: Specify whether users can join a machine to the Windows Insider Program and, if enabled, specify the Insider ring.
An additional group of policies are in Computer Configuration > Administrative Templates > Windows Components > Windows Update.
- Remove access to «Pause updates» feature: Prevent users from interfering with installation of updates by removing the option to pause updates for up to 35 days.
- Remove access to all Windows Update features: Prevent users from changing any Windows Update settings.
- Allow updates to be downloaded automatically over metered connections: Allow updates to be installed on devices using a metered connection such as an LTE connection.
- Do not include drivers with Windows Updates: Prevent Windows Update from installing device drivers.
The following settings, all specific to Windows 10, apply to restarts and notifications:
- Turn off auto-restart for updates during active hours: Ensure that devices don’t restart to install updates during normal working hours.
- Specify active hours range for auto-restarts: Change the default active hours settings.
- Specify deadline before auto-restart for update installation: Choose a deadline (between 2 and 14 days) after which a restart to apply updates will be automatic.
- Configure auto-restart reminder notifications for updates: Increase the time prior to a scheduled restart when the user is notified. Acceptable values are 15 minutes (default) to 240 minutes.
- Turn off auto-restart notifications for update installations: Completely disable restart notifications.
- Configure auto-restart required notification for updates: Prevent notifications from disappearing after 25 seconds and instead require the user to dismiss.
- Do not allow update deferral policies to cause scans against Windows Update: Use this policy to prevent PCs from checking Windows Update when a deferral is assigned.
- Specify Engaged restart transition and notification schedule for updates: Use this policy to allow users to schedule restarts and «snooze» restart reminders.
- Configure auto-restart warning notifications schedule for updates: Configure reminders of automatic restarts (from 4 to 24 hours) and warnings of imminent restarts (from 15 to 60 minutes).
- Update power policy for Cart Restarts: This policy is for educational systems that remain on carts overnight and allows updates to be installed even on battery power.
- Display options for update notifications: Use these settings to completely disable update notifications with the option to include or exclude restart warnings.
The following policies apply to Windows 10 as well as some older Windows versions:
- Configure Automatic Updates: This powerful group of settings allows you to specify a consistent weekly, bi-weekly, or monthly update schedule, with the option to specify the day and time during which all available updates are automatically downloaded and installed.
- Specify intranet Microsoft update service location: Use this policy to configure a Windows Server Update Services (WSUS) server on a Windows domain network. (See the following section for more on this option.)
- Enable client-side targeting: This setting allows administrators to use Active Directory security groups to define deployment rings when using WSUS.
- Do not connect to any Windows Update Internet locations: On PCs that are connected to a local update server, prevent any connections to outside update servers, including Microsoft Update and the Microsoft Store.
- Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates: Enables the system to wake up a machine and install updates; the system will wake up only if updates are available.
- Always automatically restart at the scheduled time: Use this setting to configure a timer (15 minutes to 180 minutes) and automatically restart after installing updates, rather than notifying users.
- No auto-restart with logged on users for scheduled automatic updates installations: This policy overrides the previous policy and prevents restarts when users are signed in.
Enterprise management tools
There are two most popular options to bypass Microsoft’s update servers and deploy updates from a locally managed server.
Windows Server Update Services (WSUS) is the simpler of the two options. It runs as a Windows Server role and provides a central store for Windows updates within an organization. Using Group Policy, a network administrator points Windows 10 PCs to the WSUS server, which serves as the single source of downloads for the entire organization.
The second option, System Center Configuration Manager (SCCM), uses the powerful Configuration Manager for Windows, in combination with WSUS, to deploy quality and feature updates. A Windows 10 servicing dashboard lets network administrators monitor Windows 10 usage across the network and create group-based servicing plans that include information about PCs as they near their end of support life.