Blog Post

Windows IT Pro Blog
11 MIN READ

Why you shouldn’t set these 25 Windows policies

AriaUpdated's avatar
AriaUpdated
Icon for Microsoft rankMicrosoft
Jan 19, 2022
The Windows update experience, as well as the policies that control it, have changed dramatically over the last few years. Notifications, the ability to dictate the behavior of update downloads, inst...
Updated Jul 14, 2022
Version 4.0
servicing and updates
windows 10
windows 11
Karl-WE's avatar
Karl-WE
MVP
Mar 03, 2022

Hi AriaUpdated yesterday I have had a customer which spare the time to work through your epic guidance and we had to do a lot of changes on their baseline. They are still using WSUS, well a modernized form with WAM and not saving updates locally anymore and leveraged DO. However, at the end of the day we noticed two things:

1. Turn off auto-restart notifications for update installations - there seems to be a missing text after the highlighted sentence, can you confirm this?

 

 

 

AriaUpdated wrote:

 

GP name:
Turn off auto-restart notifications for update installations

GP setting name: n/a

CSP name:
Update/SetAutoRestartNotificationDisable

Can disable auto-restart notifications for update installations.

- 0: Enabled [default]

- 1: Disable notifications

The default notification experience is designed to balance the impact of updates while giving users a good experience. Disabling notifications may lead to end user dissatisfaction. We only recommend turning off notifications for kiosk or user-less scenarios. In such scenarios, you can disable notifications by:

CSP recommendation:
If you wish to disable restart notifications, including restart reminder and warning notifications, please utilize the Update/UpdateNotificationLevel policy instead.

GP recommendation:
If you wish to disable restart notifications, including restart reminder and warning notifications, please utilize the "Display options for update notifications" policy instead.

 

 

2. Ultimately we followed all advice but at the end of the day we could not leverage the whole set as we had one logic conflict maybe you can help here.

 

Scenario:

customer only has Windows Server 2019 (1809) or later

customer uses WSUS with DO

We have applied quite everything from this guide.


We (customer and me) hesitate to leverage the recommended compliance deadline policies.
Reason: It's not clear when installations will happen.
Currently we use a day and time based schedule to orchestrate server updates. From the description using automatic download and installed based on a specific week, day and time does conflict with the compliance deadline policies. 

Q: How can we assure that servers will only install and reboot outside set work hours which include work hours and backup, so we have a backup before installing updates.
Q: How can we assure that servers that have a spare will not restart at the same time, e.g. all Domain Controllers or Citrix Infrastructure Servers or SQL Servers.
Q: If we set a defer of 20 days for quality updates, it seems clear for B week updates, but what happens to C and D updates? Are they also delayed by 20 days?
Q: What happens if a B week update got revoked an re-released. How does correlate with the defer?

Thanks for your help! I believe this is a common scenario.