Blog Post

Microsoft Security Baselines Blog
2 MIN READ

Windows Update Baseline joins the Security Compliance Toolkit

Rick_Munck's avatar
Rick_Munck
Icon for Microsoft rankMicrosoft
Jan 26, 2021

 

We are excited to announce the Update Baseline is now a part of the Security Compliance Toolkit! The Update Baseline is a new security baseline to ensure devices on your network get the latest Windows security updates on time while also providing a great end user experience through the update process.  

 

The Update Baseline covers Windows Update policies as well as some additional Power and Delivery Optimization policies to improve the update process and ensure devices stay secure. 

 

Why do I need the Update Baseline? 

 

We recommend using the Update Baseline to improve your patch compliance and keep devices on your network up to date and secure. The Update Baseline is Microsoft’s set of recommended policy configurations for Windows Updates to ensure devices on your network receive the monthly security update in a timely manner. Devices that are configured for the Update Baseline reach on average a compliance rate between 80-90% within 28 days. 

 

What is included in the Update Baseline? 

 

For Windows Update policies, the Update Baseline ensures: 

  • Setting deadlinesDeadlines are the most powerful tool in the IT administrator’s arsenal for ensuring devices get updated on time. 
  • Downloading and installing updates in the background without disturbing end users. This also removes bottlenecks from the update process. 
  • A great end user experience. Users don’t have to approve updates, but they get notified when an update requires a restart. 
  • Accommodating low activity devices (which tend to be some of the hardest to update) to ensure the best-possible user experience while respecting compliance goals. 

 

 

 

Learn more about common policy configuration mistakes for managing Windows updates and what you can do to avoid them to improve update adoption and provide a great user experience. 

 

How do I apply the Update Baseline? 

If you manage your devices via Group Policy, you can apply the Update Baseline using the familiar Security Compliance Toolkit framework. With a single PowerShell command, the Update Baseline Group Policy Object (GPO) can be loaded into Group Policy Management Center (GPMC).  

 

 

The MSFT Windows Update GPO that implements the Update Baseline is added to GPMC with a single command. 

 

 

You will then be able to view the Update Baseline GPO (MSFT Windows Update) in GPMC. 

 

That’s it! It’s that simple. 

 

Other cool tidbitsThe Update Baseline will continue to be updated and improved as needed, and a Microsoft Endpoint Manager solution to apply the Update Baseline is coming soon! Let us know your thoughts and leave a comment below. 

Published Jan 26, 2021
Version 1.0

15 Comments

Show More
  • CaseyS's avatar
    CaseyS
    Copper Contributor
    Feb 01, 2021

    I'd recommend checking the "Don't auto-restart until end of grace period" under:

    Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Specify deadline for automatic updates and restarts

     

    The reasoning is, the updates apply and the end user receives a notice their organization requires a restart in x days to apply the updates.  The user interprets this as they have x days before they'll need to restart.  Not so.  When the active hours expire, the PC reboots.  Users may lose data if they weren't expecting a reboot.  Or, change the notification to the PC will reboot anytime today after x (end of active hours) if the user is inactive/idle.

  • Kay_Toma's avatar
    Kay_Toma
    Iron Contributor
    Jan 30, 2021

    Hi Rene_kierstein,

    The current solution that is out is for GPO. We are working on an intune solution to come this year. 🙂

     

    For your second question--how can we adjust the baseline if a company only wants to deploy a subset of available updates (such as security updates)? The majority of policies that are configured in the Update Baseline are around user experience (e.g. notifications, access to features, etc) which is applicable to any type of update you are deploying to devices. To ensure your devices only get specific updates--for the sake of this example I will use security updates as the only type of update you are looking to deploy--I would check the following:

    • Make sure all drivers and Microsoft product updates are turned off
      • "Do not include drivers with Windows Updates" - Set this to Enabled.
      • "Configure Automatic Updates" - Make sure "Install updates for other Microsoft products" is not selected.
    • If you are not deploying Feature Updates via Windows Update, is your device configured to connect to a WSUS server?
      • "Specify intranet Microsoft update service location."
    • I'd also double check Deadlines/offering policies (such as deferrals and pause) which also affect when the Feature Update vs Quality Updates are offered.
  • Rene_kierstein's avatar
    Rene_kierstein
    Copper Contributor
    Jan 29, 2021

    Regarding the Endpoint Manager solution.

    • Will it be a GPO managed solution or a Endpoint manager baseline?
    • Can you share your thoughts how to control the baseline if a company has decided only to deploy a subset of available updates.
      • e.g. only security updates

    Looking forward to see the final work

     

    Regards

  • Kay_Toma's avatar
    Kay_Toma
    Iron Contributor
    Jan 27, 2021

    Alex Entringer Great callouts! Both of your statements are correct.

     

    Thanks for your feedback. The Update Baseline is meant for admins really focused specifically on update velocity and calling the potential of policies for that goal. We know not everyone uses the BitLocker GPO just like not everyone uses the Update Baseline so like you said it's based on the needs of each unique organization. 

     

    Yes, we absolutely recommend that default is best (i.e. leaving policies as 'Not Configured' or enforcing the same state as 'Not Configured'). The purpose of the Update Baseline was to help admins clean up their misconfigured policies and get to a known good state. Hence the policy configurations mirror the default experience of when the policies are left as 'Not Configured.'

  • Alex Entringer's avatar
    Alex Entringer
    Copper Contributor
    Jan 27, 2021

    Rick_Munck Wouldn't the 'Allow standby states (S1-S3) when sleeping (on battery)' and 'Allow standby states (S1-S3) when sleeping (plugged in)' directly conflict with the intended values from the BitLocker baseline policy (referencing the latest 'MSFT Windows 10 20H2 - BitLocker', but they have been recommended that way for many baselines now)? Perhaps the intention is that if one is using BitLocker, we favor those settings, but if the Update Baseline is intended to be used in tandem with the other baselines, it just seems a little bit odd that we would have conflicting settings.

     

    In addition, aren't a number of the configured settings functionally enforcing defaults? I am assuming that is probably fully intentional, as perhaps the team believes these are settings that would be misconfigured by an unaware admin, but as there has been a push in the recent past to reduce the number of unnecessarily configured settings (meaning we are enforcing the same state as 'Not Configured'), I just wanted to double check.