Microsoft shares useful Group Policy guide to make the best out of Windows Updates

Group policy editor

Microsoft has shared a helpful reference for organizations to setup the appropriate group policy settings for a wide range of devices. These include:

  • Single-user or personal devices

  • Multi-user devices

  • Education devices

  • Kiosks and billboards

  • Factory machines, rollercoasters, and similar things

  • Microsoft Teams Rooms devices

The company, however, recommends default settings for most use cases. The policies discussed here can be found here: Policy CSP - Update

Managing single-user devices

Single-user devices are user-owned or corporate-owned devices used by a single person. In addition to personal computing tasks, these devices might also be used for hybrid work activities including meetings, presentations, and any number of other tasks. For any of these tasks, interruption would hinder productivity. Given that these devices are often connecting to corporate network(s) and accessing sensitive information, it is imperative they stay secure. Given that heightened need for security, there are some supported policies that should be considered.

This scenario may require:

  • Fewer disruptions during the workday or when actively using the device.
  • Device can't be taken down during meetings and/or presentations.
  • All data must be saved.
  • Want to have some level of control over their device.
  • Devices must meet a specific compliance standard.

Note: All the requirements, outside of ensuring devices meet a specific compliance standard, are achieved by the default experience.

Policy

Description

When to set it and why

GP name:
Specify deadlines for automatic updates and restarts

GP setting names:
For quality updates: Deadline (days), Grace period (days)
For feature updates: Deadline (days), Grace period (days)
CSP names:
For quality updates: ConfigureDeadlineForQualityUpdates,
ConfigureDeadlineGracePeriod

For feature updates: ConfigureDeadlineForFeatureUpdates,
ConfigureDeadlineGracePeriodForFeatureUpdates

This policy allows you to specify the number of days before an update is forced to install on the device during active hours, when the user may be present.

This policy is always recommended for commercial or education environments where there is a compliance need or where it is pertinent that devices stay secure.

Note: Security is paramount from our point of view, and deadlines are a great way to ensure such.

Specifying deadlines for automatic updates and restarts through policySpecifying deadlines for automatic updates and restarts through policy

Multi-user devices

Multi-user devices are shared devices that are used by multiple people over a period of time. This is a common scenario especially for devices like a HoloLens or a PC that is being used in a laboratory or library setting. For these devices, there may be a set period when they are able to be used. For example, if they are plugged in overnight in a laboratory that doesn't allow access post 12AM, you could confidently update them at that time. Additionally, you likely don't want to have the end user schedule the update as they may inconveniently schedule it during a time another user is present, which would result in a poor experience.

This scenario may require:

  • Few to no notifications during the period of use.
  • No automatic reboots during the period of use.
  • End user(s) shouldn't be able to schedule the reboot.
  • Scheduling automatic wake and reboot for a specific time.
  • Devices to stay secure and protected.

Note: Most of the above can be achieved through the default experience with no policies configured. That said, if the default experience is not meeting your needs, you can consider the following.

Policy

Description

When to set it and why

GP name:
Configure Automatic Updates

GP setting name:
Schedule install time: Daily at X time
CSP names:
AllowAutoUpdate = 3, ScheduledInstallTime

This policy enables you to manage automatic update behavior.

Schedule install time (3) restricts the device to installing at that specified time until deadline is reached.

If the policy is not configured, end-users get the default behavior (Auto install and restart). If no day and time are specified, the default is 3 AM daily.

This policy is only recommended if there is a regular specific window when the multi-user device will not be in use.

GP name:
Remove access to use all Windows Update features

GP setting name:
Not applicable
CSP name:
Update/SetDisableUXWUAccess

This policy will remove the end user’s ability to scan, download, or install from the Windows Update settings page.

This policy is only recommended if you have end users who are configuring update settings and causing update behaviors that are disrupting other users who share the device.

GP name:
Turn off auto-restart for updates during active hours

GP setting name:
Active hours: Start, End
CSP names:
ActiveHoursStart, ActiveHoursEnd

This policy enables you to specify the hours during which a device should not restart.

This overrides the default intelligent active hours, calculated on the device based on user usage.

We recommend that you simply leverage the default, built-in intelligent active hours that are calculated on the device.

That said, you can leverage this policy if you feel it necessary and if there is a set period of time during which the device is allowed to be used or during which reboots are unacceptable. For example, if this is a device in a library or a lab, and you are finding intelligent active hours not to be meeting your needs, you may want to set active hours to the working hours of that building to ensure the device doesn’t update until it is no longer in use.

GP name:
Specify deadlines for automatic updates and restarts

GP setting names:
For quality updates: Deadline (days), Grace Period (days)
For feature updates: Deadline (days), Grace Period (days)
CSP names:
For quality updates: ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod

For feature updates: ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineGracePeriodForFeatureUpdates

This policy allows you to specify the number of days before an update is forced to install on the device during active hours, when the user may be present.

This policy is always recommended for commercial or education environments where there is a compliance need or where it is pertinent that devices stay secure.

Note: Security is paramount from our point of view and deadlines are a great way to ensure such.

Education devices

Education devices are single user or shared devices that are leveraged by students and teachers in a school setting. This encompasses both personal devices and those that may be stored in a computer cart in the classroom for shared use. For this scenario, any form of notification may be extremely disruptive in a classroom setting.

This scenario may require:

  • No notifications during the school day.
  • No automatic reboots during the school day.
  • Devices to stay secure and protected.

Note: While not automatically rebooting during the school day can likely be achieved by the default settings, you may want to consider the following to ensure devices stay protected and to prevent notifications during the school day.

Policy

Description

When to set it and why

GP name:
Display options for update notifications

GP setting name:
Turn off notifications. Check the box for “Apply only during active hours"
CSP names:
UpdateNotificationLevel,
NoUpdateNotificationsDuringActiveHours (currently only in Active Branch)

This policy allows you to define what Windows Update notifications users see, including the ability to turn off all notifications, including restart warnings.

“Apply only during active hours” results in notifications only being turned off during active hours.

The ability to “Apply only during active hours” is new and is currently only available to devices in the Windows Insider Program for Business leveraging the Dev or Beta channels. This policy enables you to turn off Windows update notifications during active hours only. Please try out the experience in the Beta Channel and provide feedback!

For those on Windows 10 or Windows 11, version 21H2 devices, we do not recommend configuring this and instead recommend leveraging the default experience.

GP name:
Specify deadlines for automatic updates and restarts

GP setting names:
For quality updates: Deadline (days), Grace Period (days)
For feature updates: Deadline (days), Grace Period (days)
CSP names:
For quality updates: ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod

For feature updates: ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineGracePeriodForFeatureUpdates

This policy allows you to specify the number of days before an update is forced to install on the device during active hours, when the user may be present.

This policy is always recommended for commercial or education environments where there is a compliance need or where it is pertinent that devices stay secure.

Note: Security is paramount from our point of view and deadlines are a great way to ensure such.

GP name:
Turn off auto-restart for updates during active hours

GP setting name:
Active hours: Start, End
CSP names:
ActiveHoursStart, ActiveHoursEnd

This policy enables you to specify the hours during which a device should not restart.

This overrides the default intelligent active hours, calculated on the device based on user usage.

We recommend that you simply leverage the default, built-in intelligent active hours that are calculated on the device.

That said, you can leverage this policy if you feel it necessary and if there is a set period of time during which the device is allowed to be used or during which reboots are unacceptable. For example, if this is a device in a library or a lab, and you are finding intelligent active hours not to be meeting your needs, you may want to set active hours to the working hours of that building to ensure the device doesn’t update until it is no longer in use.


Display options for end user update notificationsDisplay options for end user update notifications

Kiosks and billboards

Kiosks are simple user interfaces that can be used without training or documentation to accomplish a specific task or get information. An example would be an automated teller machine (ATM). These devices are often left unattended for long periods of time, meaning that there is no end user there to interact with or trigger a reboot. Similarly, billboards, which convey information, are often meant to display or get interaction from the end user, but do not have an end user who is interacting with the update(s). Nevertheless, these devices need to stay secure and up to date, although without end users walking or driving by seeing “Restart now” notifications across the screen.

This scenario may require:

  • No notifications.
  • No automatic reboots during certain periods.
  • Scheduling the reboot for a specific time during low visibility/usage.
  • No end user interaction.

Note: By default, the device will automatically restart outside of active hours, after installation is complete. However, to ensure there are no notification disruptions, we recommend the following be configured.

Policy

Description

When to set it and why

GP name:
Display options for update notifications

GP setting name:
Turn off notifications
CSP names:
UpdateNotificationLevel

This policy allows you to define what Windows Update notifications users see. This includes the ability to turn off all notifications, including restart warnings.

This policy is recommended for devices that do not have active end users, where notifications can be disruptive and serve no purpose (such as kiosks and billboards).

GP name:
Configure Automatic Updates

GP setting name:
Schedule install time: Daily at X time
CSP names:
AllowAutoUpdate = 3, ScheduledInstallTime

This policy enables you to manage automatic update behavior.

Schedule install time (3) restricts the device to installing at that specified time until deadline is reached.

If the policy is not configured, the device will follow the default behavior (Auto install and restart). If no day and time are specified, the default is 3 AM daily.

This policy is available for use when there is a specific period when there is either low usage or visibility of the kiosk or billboard. That said, you can achieve a similar result through configuring Active Hours (see next line).

GP name:
Turn off auto-restart for updates during active hours

GP setting name:
Active hours: Start, End
CSP names:
ActiveHoursStart, ActiveHoursEnd

This policy enables you to specify the hours during which a device should not restart.

This overrides the default intelligent active hours, calculated on the device based on usage.

You can configure active hours to the window when the device is most likely in use or visible. This will ensure that reboots occur outside of that window when it is likely to cause less disruption.

GP name:
Specify deadlines for automatic updates and restarts

GP setting names:
For quality updates: Deadline (days), Grace Period (days)
For feature updates: Deadline (days), Grace Period (days)
CSP names:
For quality updates: ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod

For feature updates: ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineGracePeriodForFeatureUpdates

This policy allows you to specify the number of days before an update is forced to install on the device during active hours, when the user may be present.

This policy is always recommended for commercial or education environments where there is a compliance need or where it is pertinent that devices stay secure.

Note: Security is paramount from our point of view and deadlines are a great way to ensure such.

Factory machines, rollercoasters, and similar things

There are some devices that we often don't even think of as needing to update, unless we are the ones managing them. Machines on the factory floor, rollercoasters at amusement parks, and other critical infrastructure can all require updates. Given the criticality of these devices, it is pivotal that they stay secure, stay functional, and are not interrupted in the middle of a task. Often these are some of the devices in the final wave when rolling out an update after everything else has been validated.

This scenario may require:

  • End user initiating an update or updating at a specific time.
  • No automatic reboots – ever.

Note: This is one of the only use cases where compliance deadlines are not recommended given automatic updates are never acceptable in this scenario.

Policy

Description

When to set it and why

GP name:
Configure Automatic Updates

GP setting names:
Schedule install time: Daily at X time
OR

Notify to download / Notify to Install
CSP names:
AllowAutoUpdate = 3, ScheduledInstallTime
OR

AllowAutoUpdate = 0

This policy enables you to manage automatic update behavior.

Schedule install time (3) restricts the device to installing at that specified time until the deadline is reached.

Notify to download (0) will require the end user to take action (via notifications or the settings page) to download the update.

The schedule install policy is recommended for use when there is a specific period when the device is not in use.

Notify to download or Notify to install is only recommended in scenarios where any unexpected updates not triggered by an end user have negative consequences.

Note: If full control is needed, you can also disable automatic updates by disabling this policy the end user will have to manually kick off scans, downloads, installs, and restarts. This is only recommended in specific cases which require high touch management of updates. This puts the device at high risk of becoming insecure and missing updates.

Microsoft Teams Rooms devices

Microsoft Teams Rooms are actively managed by Microsoft “out-of-box". This enables you to have a hands-off approach where no policies are needed for Microsoft Teams Rooms to successfully stay up to date with validated updates. By default, only updates that Microsoft has validated will be offered to the device and will be automatically installed. We recommend against configuring any policies on a Microsoft Teams Rooms device, especially any offering policies, as they are likely to conflict with what the Microsoft Teams Rooms management has already put in place. These conflicts can lead to a degradation of experience. Learn more about Microsoft Teams Rooms update management.

You can find the official blog post here.

Via: ZDNet

Report a problem with article
Next Article

Warhammer 40k: Darktide drops in September, heading to PC and Xbox Series X|S

A robotic arm holding a holographic image of the Twitter logo
Previous Article

Evidence hint at TweetDeck becoming a premium Twitter Blue feature

2 Comments - Add comment

Advertisement