The Windows update experience, as well as the policies that control it, have changed dramatically over the last few years. Notifications, the ability to dictate the behavior of update downloads, installation, and restarts, and the Settings experience have all shifted dramatically from what was released in Windows 10, version 1511. We have invested in building the best experience possible for end users – adding capabilities like active hours to enable a device to automatically restart when the end user is away and changing our notifications to include information like restart time estimates so that end users can decide to restart immediately or at a later, more convenient time.
We have listened to your feedback and learned a lot about which experiences work and which don't. We have also worked to evolve and simplify the controls needed to support these improved experiences, and identify which older policies have become irrelevant or replaced with a better option. As a result, the Windows update policy set contains policies that no longer have any impact; that don’t work as described on devices running Windows 10, version 20H2 or later; or that work but not as well as the policies that were added to accomplish a similar experience in a much better way.
To reduce that complexity, with Windows 11 we created a sub-folder under “Windows Update” to specify “Legacy Policies.” While these sub-folders are only available in the Windows 11 ADMX templates, the same recommendations can be made for Windows 10, version 20H2 and above. Therefore, we recommend that you review your policy settings and leverage only the recommended policy set.
To help you figure out which policies to stop setting and which to use instead, please leverage the below list. In it, you will find which policies are not recommended, why they are not recommended, and how to get the same or similar behavior with either default settings or recommended policies.
Policies not to set
Group Policy path: […]/Administrative Templates/Windows Components/ Windows Updates/Legacy Policies
Policy |
Description |
Why not to set it and what to use instead |
GP name: GP setting name: n/a CSP name: No equivalent |
Enable this policy to not show the “install updates and shut down” |
This policy was never implemented on Windows 10 and will have no effect if set on Windows 10 or Windows 11. |
GP name: GP setting name: n/a CSP name: No equivalent |
Enable this policy so that the users last shut down choice is the default rather than the “install updates and shut down” option being default |
This policy was never implemented on Windows 10 and will have no effect if set on Windows 10 or Windows 11. |
GP name: GP setting names: CSP names: |
Specify the deadline in days before a pending restart will automatically be executed outside of active hours |
GP recommendation: Policy to use instead: Specify deadlines for automatic updates and restarts > Don’t auto-restart until end of grace period CSP recommendation: Policies to use instead: Update/ConfigureDeadlineForQualityUpdates Update/ConfigureDeadlineGracePeriod Update/ConfigureDeadlineNoAutoReboot
|
GP name: GP setting name: n/a CSP name: No equivalent |
If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished. If the status is set to Disabled or Not Configured, the default wait time is 15 minutes. Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect. |
This policy was never implemented on Windows 10 and will have no effect if set on Windows 10 or Windows 11. |
GP name: GP setting name: n/a CSP name: |
Enable this policy to specify when auto-restart reminders are displayed. You can specify the amount of time prior to a scheduled restart to notify the user. |
This policy only works with the automatic updates schedule install time, day, week or if auto-restart deadline is configured and compliance deadline is not configured. These notifications are shown before the deadline is reached. GP and CSP recommendation: |
GP name: GP setting name: n/a |
Enable this policy to specify how a notification is dismissed (auto – after 25 sec, default OR user action) |
This policy is not supported in code for Windows 10 or Windows 11. Configuring it will have no effect. GP and CSP recommendation: |
GP name: GP setting name: n/a CSP name: |
Can disable auto-restart notifications for update installations. - 0: Enabled [default] - 1: Disable notifications |
The default notification experience is designed to balance the impact of updates while giving users a good experience. Disabling notifications may lead to end user dissatisfaction. We only recommend turning off notifications for kiosk or user-less scenarios. In such scenarios, you can disable notifications by: CSP recommendation: GP recommendation: |
GP name: GP setting name: n/a CSP name: No equivalent |
Enables admin to control whether non-admins receive notifications based on configure automatic updates setting. |
This policy has never been supported via CSP and was not implemented on Windows 10 or Windows 11 for Group Policy. Setting it on such will have no effect. GP recommendation: |
GP name: Specify Engaged restart transition and notification schedule for updates
GP setting names: For feature updates: Transition (days), Snooze (days), Deadline (days) CSP names: For feature updates: Update/EngagedRestartDeadlineForFeatureUpdates |
Enable this policy to configure Transition (the amount of time before going from auto-restart to engaged restart), Snooze (the amount of engaged notifications the end user can snooze), Deadline (the time before a pending reboot will be automatically executed outside of active hours) |
CSP recommendation: Policies to use instead: Update/ConfigureDeadlineForQualityUpdates Update/ConfigureDeadlineGracePeriod
Update/ConfigureDeadlineNoAutoReboot GP recommendation: Policy to use instead: If you wish to prevent automatic restarts outside of active hours when the device is plugged in and the user is away until after the deadline has been reached, you can configure: "Turn off auto-restart for updates during active hours" within the above policy. |
GP name: GP setting name: n/a CSP name: No equivalent |
Control whether users see detailed enhanced notification messages |
This policy has never been supported via CSP and was not implemented on Windows 10 or Windows 11 for Group Policy. Setting it on such will have no effect. |
GP name: GP setting name: n/a CSP name: No equivalent |
Specify if updates that don’t cause a restart are automatically installed. |
This policy has never been supported via CSP and was not implemented on Windows 10 or Windows 11 for Group Policy. Setting it on such will have no effect. GP and CSP recommendation:
|
GP name: GP setting name: n/a CSP name: No equivalent |
If Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed. |
This policy has never been supported via CSP and was not implemented on Windows 10 or Windows 11 for Group Policy. Setting it on such will have no effect. |
GP name: GP setting name: CSP name: No equivalent |
Amount of time after a system startup that a scheduled install occurs when missed previously |
This policy has never been supported via CSP and was not implemented on Windows 10 or Windows 11 for Group Policy. Setting it on such will have no effect. |
GP name: Configure auto-restart warning notifications schedule for updates GP setting name: n/a CSP names:
|
Specify the number of hours before a restart to notify the end user. |
This policy only works on Windows 10 if the GP: "Specify deadline before auto-restart for update installation" or the CSP: Update/AutoRestartDeadlinePeriodInDays / Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates is configured. GP and CSP recommendation: |
GP name: GP setting name: n/a CSP name: No equivalent |
Do not automatically restart with the user logged on |
This policy was never created as a CSP. In Group Policy this policy does not work exactly as per description. Further, this policy can result in no quality update reboots period, given many users today never log off. GP recommendation: |
GP name: GP setting name: n/a CSP name: |
Pause updates for 60 days or until set back to 0. |
GP and CSP recommendation: |
GP name: GP setting name: n/a CSP name: |
Defer quality updates for up to 4 weeks (0-4 weeks). |
GP and CSP recommendation: Update/DeferQualityUpdatesPeriodInDays or GPS: Select when Quality Updates are received. |
GP name: GP setting name: n/a CSP name: |
Defer feature updates for up to 8 months (0-8 months). |
GP and CSP recommendation: Update/DeferFeatureUpdatesPeriodInDays or GPS: Select when Preview Builds and Feature Updates are received. |
GP name: GP setting name: n/a CSP name: Update/RequireDeferUpgrade |
Allows admins to stay on the Semi-Annual Channel |
CSP recommendation: |
GP name: GP setting name: n/a CSP name: No equivalent |
Specify whether Automatic updates will deliver both important and recommended updates from Windows Update |
This policy has never been supported via CSP and was not implemented on Windows 10 or Windows 11 for Group Policy. Setting it on such will have no effect. |
GP name: No equivalent GP setting name: n/a CSP name: |
Admins can restrict what updates are installed to only those on the approval list. - 0: Device installs all applicable updates [default] - 1: Device only installs updates that are on the approved update list |
CSP recommendation: |
GP name: No equivalent GP setting name: n/a CSP name: |
|
Deprecated already, replaced with Require Update Approval - which is now also being deprecated. |
GP name: GP setting name: n/a CSP name: |
Enable this policy to not allow update deferral policies to cause scans against Windows Update. |
This policy works on Windows 10, but is not supported and will have no effect on Windows 11 devices. We recommend using the new scan source policy instead. CSP recommendation: Update/SetPolicyDrivenUpdateSourceForDriverUpdates; Update/SetPolicyDrivenUpdateSourceForFeatureUpdates; Update/SetPolicyDrivenUpdateSourceForOtherUpdates; Update/SetPolicyDrivenUpdateSourceForQualityUpdates To configure whether updates come from Windows Update or Windows Server Update Services (WSUS). GP recommendation: |
GP name: GP setting name: n/a CSP name: |
Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart. |
This policy will work on Windows 10; However, it will dramatically reduce compliance and the velocity at which the device takes updates. GP and CSP recommendation: |
After reading all of this you may be wondering – what is recommended? At the end of the day, it is best to leverage the default experience. Not only do defaults provide the best experience, they are also the most effective at keeping devices up to date. For organizations with security mandates that require being on a specific version within a certain timeframe, the only policies needed for a client device that is being used as a 1:1 personal computer are offering policies (e.g. the new Windows Update for Business Deployment Service controls or deferrals) and deadlines. That’s it! The rest of the policies are simply there to enable you to tailor that experience to the needs of your organization, to help you manage other device types, or to support other device usage scenarios.
Questions? Comments! Reach out to me here on the Tech Community or at @AriaUpdated on Twitter. Thank you for helping provide your end users with a better update experience.