Blog Post

Windows IT Pro Blog
11 MIN READ

Why you shouldn’t set these 25 Windows policies

AriaUpdated's avatar
AriaUpdated
Icon for Microsoft rankMicrosoft
Jan 19, 2022

The Windows update experience, as well as the policies that control it, have changed dramatically over the last few years. Notifications, the ability to dictate the behavior of update downloads, installation, and restarts, and the Settings experience have all shifted dramatically from what was released in Windows 10, version 1511. We have invested in building the best experience possible for end users – adding capabilities like active hours to enable a device to automatically restart when the end user is away and changing our notifications to include information like restart time estimates so that end users can decide to restart immediately or at a later, more convenient time.

We have listened to your feedback and learned a lot about which experiences work and which don't. We have also worked to evolve and simplify the controls needed to support these improved experiences, and identify which older policies have become irrelevant or replaced with a better option. As a result, the Windows update policy set contains policies that no longer have any impact; that don’t work as described on devices running Windows 10, version 20H2 or later; or that work but not as well as the policies that were added to accomplish a similar experience in a much better way.

To reduce that complexity, with Windows 11 we created a sub-folder under “Windows Update” to specify “Legacy Policies.” While these sub-folders are only available in the Windows 11 ADMX templates, the same recommendations can be made for Windows 10, version 20H2 and above. Therefore, we recommend that you review your policy settings and leverage only the recommended policy set.

To help you figure out which policies to stop setting and which to use instead, please leverage the below list. In it, you will find which policies are not recommended, why they are not recommended, and how to get the same or similar behavior with either default settings or recommended policies.

Policies not to set

Group Policy path: […]/Administrative Templates/Windows Components/ Windows Updates/Legacy Policies

 

Policy

Description

Why not to set it and what to use instead

GP name:
Do not display ‘Install Updates and Shut Down” option in Shut Down Windows dialog box

GP setting name: n/a

CSP name: No equivalent

Enable this policy to not show the “install updates and shut down”

This policy was never implemented on Windows 10 and will have no effect if set on Windows 10 or Windows 11.

GP name:
Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Down Windows dialog box

GP setting name: n/a

CSP name: No equivalent

Enable this policy so that the users last shut down choice is the default rather than the “install updates and shut down” option being default

This policy was never implemented on Windows 10 and will have no effect if set on Windows 10 or Windows 11.

GP name:
Specify deadline before auto-restart for update installation

GP setting names:
Quality Updates, Feature Updates

CSP names:
Update/AutoRestartDeadlinePeriodInDays
Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates

Specify the deadline in days before a pending restart will automatically be executed outside of active hours

GP recommendation:
Leverage the compliance deadline policies instead. To do so, go to “Specify deadlines for automatic updates and restarts” policy, configure deadlines, and then select "Don‘t auto-restart until end of grace period" to ensure your devices will not automatically restart outside of active hours until after the deadline is reached.

Policy to use instead:

Specify deadlines for automatic updates and restarts > Don’t auto-restart until end of grace period

CSP recommendation:
Leverage the compliance deadline policies instead. By configuring "NoAutoReboot" your devices will not automatically restart outside of active hours until after the deadline is reached.

Policies to use instead:

Update/ConfigureDeadlineForQualityUpdates

Update/ConfigureDeadlineGracePeriod

Update/ConfigureDeadlineNoAutoReboot


Note: If the end user selects "restart tonight", we will automatically restart the device outside of active hours from that point on.

GP name:
Delay Restart for scheduled installations

GP setting name: n/a

CSP name: No equivalent

If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished.

If the status is set to Disabled or Not Configured, the default wait time is 15 minutes.

Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.

This policy was never implemented on Windows 10 and will have no effect if set on Windows 10 or Windows 11.

GP name:
Configure auto-restart reminder notifications for updates

GP setting name: n/a

CSP name:
Update/AutoRestartNotificationSchedule

Enable this policy to specify when auto-restart reminders are displayed. You can specify the amount of time prior to a scheduled restart to notify the user.

This policy only works with the automatic updates schedule install time, day, week or if auto-restart deadline is configured and compliance deadline is not configured. These notifications are shown before the deadline is reached.

GP and CSP recommendation:
Utilize compliance deadline instead and the default notification flow to ensure that end users are properly notified prior to a restart occurring.

GP name:
Configure auto-restart required notification for updates

GP setting name: n/a

CSP name:
Update/AutoRestartRequiredNotificationDismissal

Enable this policy to specify how a notification is dismissed (auto – after 25 sec, default OR user action)

This policy is not supported in code for Windows 10 or Windows 11. Configuring it will have no effect.

GP and CSP recommendation:
Our notification flow will involve both automatically dismissed notifications as well as notifications that will require the end user to interact, assuming you are leveraging the compliance deadline policy.

GP name:
Turn off auto-restart notifications for update installations

GP setting name: n/a

CSP name:
Update/SetAutoRestartNotificationDisable

Can disable auto-restart notifications for update installations.

- 0: Enabled [default]

- 1: Disable notifications

The default notification experience is designed to balance the impact of updates while giving users a good experience. Disabling notifications may lead to end user dissatisfaction. We only recommend turning off notifications for kiosk or user-less scenarios. In such scenarios, you can disable notifications by:

CSP recommendation:
If you wish to disable restart notifications, including restart reminder and warning notifications, please utilize the Update/UpdateNotificationLevel policy instead.

GP recommendation:
If you wish to disable restart notifications, including restart reminder and warning notifications, please utilize the "Display options for update notifications" policy instead.

GP name:
Allow non-administrators to receive update notifications

GP setting name: n/a

CSP name: No equivalent

Enables admin to control whether non-admins receive notifications based on configure automatic updates setting.

This policy has never been supported via CSP and was not implemented on Windows 10 or Windows 11 for Group Policy. Setting it on such will have no effect.

GP recommendation:
By default, end users will receive update notifications. 

GP name: Specify Engaged restart transition and notification schedule for updates

 

GP setting names:
For quality updates: Transition (days), Snooze (days), Deadline (days)

For feature updates: Transition (days), Snooze (days), Deadline (days)

CSP names:
For quality updates:
Update/EngagedRestartDeadline 
Update/EngagedRestartSnoozeSchedule
Update/EngagedRestartTransitionSchedule

For feature updates: Update/EngagedRestartDeadlineForFeatureUpdates 
Update/EngagedRestartSnoozeScheduleForFeatureUpdates 
Update/EngagedRestartTransitionScheduleForFeatureUpdates

Enable this policy to configure Transition (the amount of time before going from auto-restart to engaged restart), Snooze (the amount of engaged notifications the end user can snooze), Deadline (the time before a pending reboot will be automatically executed outside of active hours)

CSP recommendation:
Leverage the compliance deadline policies instead. These policies better allow you to ensure updates are completed within your compliance window while providing a much better experience for your end users.

Policies to use instead:

Update/ConfigureDeadlineForQualityUpdates

Update/ConfigureDeadlineGracePeriod


If you wish to prevent automatic restarts outside of active hours when the device is plugged in and the user is away until after the deadline has been reached, you can configure:

Update/ConfigureDeadlineNoAutoReboot

GP recommendation:
Leverage the compliance deadline policies instead. These policies better allow you to ensure updates are completed within your compliance window while providing a much better experience for your end users.

Policy to use instead:
Specify deadlines for automatic updates and restarts

If you wish to prevent automatic restarts outside of active hours when the device is plugged in and the user is away until after the deadline has been reached, you can configure: "Turn off auto-restart for updates during active hours" within the above policy.

GP name:
Turn on Software Notifications

GP setting name: n/a

CSP name: No equivalent

Control whether users see detailed enhanced notification messages

This policy has never been supported via CSP and was not implemented on Windows 10 or Windows 11 for Group Policy. Setting it on such will have no effect. 

GP name:
Allow Automatic Updates immediate installation

GP setting name: n/a

CSP name: No equivalent

Specify if updates that don’t cause a restart are automatically installed.

This policy has never been supported via CSP and was not implemented on Windows 10 or Windows 11 for Group Policy. Setting it on such will have no effect.

GP and CSP recommendation:
By default updates will be automatically installed.

 

GP name:
Re-prompt for restart with scheduled installations

GP setting name: n/a

CSP name: No equivalent

If Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed.

This policy has never been supported via CSP and was not implemented on Windows 10 or Windows 11 for Group Policy. Setting it on such will have no effect.

GP name:
Reschedule Automatic Updates scheduled installations

GP setting name:
Wait after system startup (minutes): [1, 60]

CSP name: No equivalent

Amount of time after a system startup that a scheduled install occurs when missed previously

This policy has never been supported via CSP and was not implemented on Windows 10 or Windows 11 for Group Policy. Setting it on such will have no effect.

GP name: Configure auto-restart warning notifications schedule for updates

GP setting name: n/a

CSP names:
Update/ScheduleImminentRestartWarning
Update/ScheduleRestartWarning

 

Specify the number of hours before a restart to notify the end user.

This policy only works on Windows 10 if the GP: "Specify deadline before auto-restart for update installation" or the CSP: Update/AutoRestartDeadlinePeriodInDays / Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates is configured.

GP and CSP recommendation:
Leverage the default notification flow that comes with compliance deadline.

GP name:
No auto-restart with logged on users for scheduled automatic updates installation

GP setting name: n/a

CSP name: No equivalent

Do not automatically restart with the user logged on

This policy was never created as a CSP. In Group Policy this policy does not work exactly as per description. Further, this policy can result in no quality update reboots period, given many users today never log off.

GP recommendation:
The recommendation to replace this would be to leverage compliance deadline and then to configure no-auto reboot to prevent non-user aware reboots prior to the deadline being reached. Or for server devices, leverage Configure Automatic Updates options 7 - notify to install and notify to reboot.

GP name:
Select when Feature Updates are received

GP setting name: n/a

CSP name:
Update/PauseFeatureUpdates

Pause updates for 60 days or until set back to 0.

GP and CSP recommendation:
This policy was replaced back in 1703. To pause updates, utilize the Update/PauseFeatureUpdatesStartTime and/or Update/PauseQualityUpdatesStartTime policy.

GP name:
Defer Upgrades and Updates

GP setting name: n/a

CSP name:
Update/DeferUpdatePeriod

Defer quality updates for up to 4 weeks (0-4 weeks).

GP and CSP recommendation:
This policy was replaced back in 1607. To defer quality updates, utilize

Update/DeferQualityUpdatesPeriodInDays or GPS: Select when Quality Updates are received.

GP name:
Defer Upgrades and Updates

GP setting name: n/a

CSP name:
Update/DeferUpgradePeriod

Defer feature updates for up to 8 months (0-8 months).

GP and CSP recommendation:
This policy was replaced back in 1607. To defer feature updates, utilize

Update/DeferFeatureUpdatesPeriodInDays or GPS: Select when Preview Builds and Feature Updates are received.

GP name:
Select when Feature Updates are received

GP setting name: n/a

CSP name: Update/RequireDeferUpgrade

Allows admins to stay on the Semi-Annual Channel 

CSP recommendation:
This policy was replaced back in 1607. To defer feature updates, utilize Update/DeferFeatureUpdatesPeriodInDays

GP name:
Turn on recommended updates via Automatic Updates

GP setting name: n/a

CSP name: No equivalent

Specify whether Automatic updates will deliver both important and recommended updates from Windows Update

This policy has never been supported via CSP and was not implemented on Windows 10 or Windows 11 for Group Policy. Setting it on such will have no effect.

GP name: No equivalent

GP setting name: n/a

CSP name:
Update/RequireUpdateApproval

Admins can restrict what updates are installed to only those on the approval list.

- 0: Device installs all applicable updates [default]

- 1: Device only installs updates that are on the approved update list

CSP recommendation:
This policy is only recommended for mobile devices. Using this policy for other device types can result in a poor experience and is not supported on Windows 10 or Windows 11.

GP name: No equivalent

GP setting name: n/a

CSP name:
Update/PhoneUpdateRestrictions

 

Deprecated already, replaced with Require Update Approval - which is now also being deprecated.

GP name:
Do not allow update deferral policies to cause scans against Windows Update

GP setting name: n/a

CSP name:
Update/DisableDualScan

Enable this policy to not allow update deferral policies to cause scans against Windows Update.

This policy works on Windows 10, but is not supported and will have no effect on Windows 11 devices. We recommend using the new scan source policy instead.

CSP recommendation:
For Windows 10, version 2004 and above and Windows 11 leverage the policies:

Update/SetPolicyDrivenUpdateSourceForDriverUpdates;

Update/SetPolicyDrivenUpdateSourceForFeatureUpdates;

Update/SetPolicyDrivenUpdateSourceForOtherUpdates;

Update/SetPolicyDrivenUpdateSourceForQualityUpdates

To configure whether updates come from Windows Update or Windows Server Update Services (WSUS).

GP recommendation:
For Windows 10, version 2004 and above and Windows 11 leverage the policy “Specify source service for specific classes of Windows Updates” policy. This will enable you to specify whether specific update classes (Feature updates, quality updates, driver and firmware updates, and other updates) individually come from WSUS or Windows Update.

GP name:
Update Power Policy for Cart Restarts

GP setting name: n/a

CSP name:
Update/SetEDURestart

Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime.

When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart.

This policy will work on Windows 10; However, it will dramatically reduce compliance and the velocity at which the device takes updates.

GP and CSP recommendation:
We recommend leveraging the default settings with Active Hours instead.

After reading all of this you may be wondering – what is recommended? At the end of the day, it is best to leverage the default experience. Not only do defaults provide the best experience, they are also the most effective at keeping devices up to date. For organizations with security mandates that require being on a specific version within a certain timeframe, the only policies needed for a client device that is being used as a 1:1 personal computer are offering policies (e.g. the new Windows Update for Business Deployment Service controls or deferrals) and deadlines. That’s it! The rest of the policies are simply there to enable you to tailor that experience to the needs of your organization, to help you manage other device types, or to support other device usage scenarios.

Questions? Comments! Reach out to me here on the Tech Community or at @AriaUpdated on Twitter. Thank you for helping provide your end users with a better update experience.

 

Updated Jul 14, 2022
Version 4.0