Common policy configuration mistakes for managing Windows updates

Published Jan 19 2021 07:58 PM 20.8K Views
Microsoft

Misconfigured policies can prevent devices from updating and negatively affect monthly patch compliance. Explore common policy configuration mistakes that can hinder update adoption and result in a poor experience for your end users—and get guidance on how to review your Windows update policies to confirm your devices are configured correctly. Alternatively, you can leverage the Update Baseline tool to automatically apply the recommended set of Windows Update policies to your devices.

Set deadlines (with a grace period)

One of the most powerful resources that IT admins can use to support patch compliance is setting deadlines. A deadline is the number of days before a device is forced to restart to ensure compliance. Deadlines provide a balance between keeping devices secure and providing a good end user experience.

Deadlines work in coordination with pause and deferral settings. For example, if you set a quality update deadline of 2 days and a quality update deferral of 7 days, users will not get offered the quality update until day 7 and the deadline will not force restart until day 9. Similarly, if you (or the end user) pause quality updates, the deadline will not kick in until after the pause has elapsed and a quality update is offered to the device. For example, if the end user pauses all updates for 7 days and the quality update deadline is set to 2 days, as soon as the pause period is over on day 7, the deadline kicks in and the device will have 2 days to download, install, and restart to complete the update.

To ensure a good user experience for devices that have been shut off for some time, as when a user of a device is on vacation, we strongly recommend setting a grace period. The grace period is a buffer that prevents deadlines from immediately forcing a restart as soon as a device is turned on.

We also recommend leveraging the default automatic restart behavior. Windows has heuristics to analyze when the user interacts with the device to find the optimal time to automatically download, install, and restart. Allowing auto-restart can therefore improve your patch compliance while maintaining a good end user experience.

We recommend the following settings for deadline policies. You can find these policies in Group Policy under Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts or the CSP name listed for each policy setting below.

  • Quality updates (days): 0-7 (3 days is the recommended configuration)
    CSP name: Update/ConfigureDeadlineForFeatureUpdates
  • Feature update (days): 0-14 (7 days is the recommended configuration)
    CSP name: Update/ConfigureDeadlineForQualityUpdates
  • Grace period (days): 0-3 (2 days is the recommended configuration)
    CSP name: Update/ConfigureDeadlineGracePeriod

    Note: We strongly recommend the sum of a feature update/quality update deadline and the grace period to be no less than 2. Setting a value lower than 2 can cause a poor end user experience due to the aggressive timeline.

  • Auto-restart: Disabled is the recommended configuration.
    CSP name: Update/ConfigureDeadlineNoAutoReboot

How to set deadlines for automatic updates and restarts using Group PolicyHow to set deadlines for automatic updates and restarts using Group Policy

For more information, see Enforcing compliance deadlines for updates in Windows Update for Business.

Make sure automatic updates are set up correctly

Automatic updates are another policy where misconfigurations affect patch compliance. Within the Configure Automatic Updates policy in Group Policy (see below for the Configuration service provider (CSP) equivalent), you can define when and if to require end user interaction during the update process.

As a rule of thumb, requiring end user approval of updates negatively impacts patch compliance and success rates by a significant percentage. To simplify the update process, we therefore recommend either not configuring this policy at all or, if configured, selecting “4 – Auto download and schedule the install.” This allows the update to download and install silently in the background and only notifies the user once it is time to restart.

We also recommend setting the scheduled installation time to “Automatic,” rather than a specific time to restart, as the device will then fall back to the configured restart policies, such as active hours, to find the optimal time to schedule the restart (like when the user is away).

We strongly recommend not requiring the end user to approve updates for the smoothest update process as this can create bottlenecks in the update process. This includes avoiding configuring “2 - Notify for download and auto install” and “3 - Auto download and notify for install.”

If you do choose to use values 2 or 3, the following policy conflicts may arise and prevent updates from successfully being applied or may significantly degrade the end user experience.

  • If "Configure Automatic Updates” is set to 2 or 3 and
    "Remove access to use all Windows Update features” is set to Enabled:

    The end user will be unable to take action on Windows Update notifications and will, therefore, be unable to download or install the update before the deadline. When the deadline is reached, the update will automatically be downloaded and installed.

  • If "Configure Automatic Updates” is set to 2 or 3 and
    " Display options for update notifications” is set to (2) Disable all notifications including restart notifications:

    The end user will not see notifications and, therefore, cannot take action without going to the Windows Update Settings page. Thus, the user will be unlikely to download or install the update before the deadline at which time the device will be forced to restart without any warning.

How to configure automatic update settings using Group PolicyHow to configure automatic update settings using Group Policy

The CSP equivalent of the above recommended configurations for "Configure Automatic Updates" in Group Policy would be:

  • Update/AllowAutoUpdate = 2 (Auto install and restart. Updates are downloaded automatically and installed when the device is not in use.)
  • Update/ScheduledInstallDay = 0 (Every day)
  • Update/ScheduledInstallEveryWeek = 1
  • Or simply not configuring the policy

Ensure that devices can check for updates

Frequently, we see the policies listed in this section misconfigured during the initial setup of a device and then never revisited. If left misconfigured, they can prevent devices from updating. As a result, we recommend that you review the following policies to ensure they are configured correctly. You can find these policies in Group Policy under Computer Configuration > Administrative Templates > Windows Components > Windows Update or the Update Policy CSP listed for each policy setting below.

Do not allow update deferral policies to cause scans against Windows Update
CSP name: Update/DisableDualScan

If a device is configured to receive updates from Windows Update, including DualScan devices, make sure this policy is not set to Enabled. To clean out the policy, we recommend you set this policy to Disabled.

Specify intranet Microsoft update service location
CSP name: Update/AllowUpdateService

We see a significant number of devices unable to update due to bad Windows Server Update Services (WSUS) server addresses, often because a replacement WSUS server is provisioned with a different name. As a result, double-check to ensure that the WSUS server address is up to date. Devices that are misconfigured to ping an address that is expired or no longer in service won’t receive updates.

Additionally, scan failures can occur when devices require user proxy to scan their configured WSUS server and do not have the proper proxy policy configured. for proxy scenarios, see Scan changes and certificates add security for Windows devices using WSUS for updates.

Configure policies to ensure a good end user experience

The following policies can negatively affect your end user experience:

Remove access to “Pause updates” feature
CSP name: Update/SetDisablePauseUXAccess

Enabling this policy can benefit your monthly adoption rate, but also prevents users from pausing updates when necessary. If you have set deadlines that may cause a mandatory restart, disabling this policy will give end users the power to protect their work. For example, if a device is in the middle of a process that must run for consecutive days, the end user may want to make sure that their device is not forced to restart during the process.

Remove access to use all Windows Update features
CSP name: Update/SetDisableUXWUAccess

Leveraging this policy will remove the end user's ability to use the Windows Update Settings page. This includes their ability to check for updates or interact with notifications, and can lead to policy conflicts. Note that, if this policy is left alone, checking for updates simply prompts a scan and does not change what the user is offered if you have configured Windows Update for Business offering policies on the device.

Display options for update notifications
CSP Name: Update/UpdateNotificationLevel

We recommend this setting is configured to 0 (default). If set to 1 or 2, this setting will disable all restart warnings or all restart notifications, limiting the visibility that your end user has to an upcoming restart. This can result in restarts happening while the end user is present with no notifications due to the deadline being reached. Enabling this policy is recommended for kiosk or digital signage devices only.

Apply recommendations with the Update Baseline

To implement the recommendations outlined above, we provide the Update Baseline tool which allows you to import our full set of Windows update policy recommendations into Group Policy Management Center. The Update Baseline toolkit is currently only available for Group Policy. A Microsoft Intune solution to apply the Update Baseline is coming soon. Download the Update Baseline and review the documentation included to view and apply our full list of policy configuration recommendations.

Try out our policy recommendations for yourself to see how you can improve your patch velocity. Let us know what you think by commenting below or reaching out to me directly on Twitter @ariaupdated.

 

8 Comments
New Contributor

Great article! It's helpful to know the Microsoft recommended update settings. I also downloaded the Update Baseline tool and am evaluating the GPO recommendations. Our company is trying to move away from GPO's and to use Intune policies instead. I imported the gpreport.xml to Intune GPO Analytics, but it shows that only 55% of the settings are Intune MDM Supported. Any chance the Intune team can work on adding support for all those settings? 

Microsoft

@Ian55 actually the reason it is such a low % supported is because a lot of the things Update Baseline is setting is disabling policies or attempting to get the default behavior. Ideally, as stated in the article - you just leverage the default behavior and then only configure offering policies and deadlines. :) 

Regular Visitor

Thanks, Aria.

That's quite helpful, and you have no idea how convenient the timing is! At least the time when I found it, I'm not sure when it was written. :)

Emanuel

Occasional Contributor

Very helpful but when will we have Baseline settings for Intune? 

Regular Visitor

Thanks for this guidance.  We're making changes because of it.

 

One significant typo - the CSP name for Feature and Quality deadlines appear to be reversed

New Contributor

In our environment we have the following settings:

 

Quality Updates: 2 days

Feature Updates: 21 days

Grace Period: 7 days

Auto download and schedule install update: 6am Don't autorestart until end of grace period: enabled

 
From what I understand for Quality update, a restart is required after the automatic install at 6am which triggers the 7 days grace period to kick in.
 
For Feature updates a restart is never required. When it installs it restart, you never get a grace period but you get the 21 days of notifications from the deadline.
 
Unless in both cases you boot Windows past either deadline, you should get a grace period for both?

 

Is this correct?

 

Thank you,

Alex

Microsoft

@Alexandre Gauthier thanks for reaching out. Grace period actually applies for both feature updates and quality updates. Note, in either case when restart is pending (for a feature or quality update) the end user will have the grace period length of time to update before the deadline is forced. 

 
Microsoft

This is a detailed description of the compliance deadline behavior.This is a detailed description of the compliance deadline behavior.

%3CLINGO-SUB%20id%3D%22lingo-sub-2077328%22%20slang%3D%22en-US%22%3ECommon%20policy%20configuration%20mistakes%20for%20managing%20Windows%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2077328%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EMisconfigured%20policies%20can%20prevent%20devices%20from%20updating%20and%20negatively%20affect%20monthly%20patch%20compliance.%20Explore%20common%20policy%20configuration%20mistakes%20that%20can%20hinder%20update%20adoption%20and%20result%20in%20a%20poor%20experience%20for%20your%20end%20users%E2%80%94and%20get%20guidance%20on%20how%20to%20review%20your%20Windows%20update%20policies%20to%20confirm%20your%20devices%20are%20configured%20correctly.%20Alternatively%2C%20you%20can%20leverage%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fupdate%2Fupdate-baseline%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUpdate%20Baseline%3C%2FA%3E%20tool%20to%20automatically%20apply%20the%20recommended%20set%20of%20Windows%20Update%20policies%20to%20your%20devices.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--550915693%22%20id%3D%22toc-hId--550915693%22%20id%3D%22toc-hId--550915693%22%20id%3D%22toc-hId--550915693%22%20id%3D%22toc-hId--550915693%22%20id%3D%22toc-hId--550915693%22%20id%3D%22toc-hId--550915693%22%20id%3D%22toc-hId--550915693%22%20id%3D%22toc-hId--550915693%22%20id%3D%22toc-hId--550915693%22%20id%3D%22toc-hId--550915693%22%20id%3D%22toc-hId--550915693%22%3ESet%20deadlines%20(with%20a%20grace%20period)%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EOne%20of%20the%20most%20powerful%20resources%20that%20IT%20admins%20can%20use%20to%20support%20patch%20compliance%20is%20setting%20deadlines.%20A%20deadline%20is%20the%20number%20of%20days%20before%20a%20device%20is%20forced%20to%20restart%20to%20ensure%20compliance.%20Deadlines%20provide%20a%20balance%20between%20keeping%20devices%20secure%20and%20providing%20a%20good%20end%20user%20experience.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EDeadlines%20work%20in%20coordination%20with%20pause%20and%20deferral%20settings.%20For%20example%2C%20if%20you%20set%20a%20quality%20update%20deadline%20of%202%20days%20and%20a%20quality%20update%20deferral%20of%207%20days%2C%20users%20will%20not%20get%20offered%20the%20quality%20update%20until%20day%207%20and%20the%20deadline%20will%20not%20force%20restart%20until%20day%209.%20Similarly%2C%20if%20you%20(or%20the%20end%20user)%20pause%20quality%20updates%2C%20the%20deadline%20will%20not%20kick%20in%20until%20after%20the%20pause%20has%20elapsed%20and%20a%20quality%20update%20is%20offered%20to%20the%20device.%20For%20example%2C%20if%20the%20end%20user%20pauses%20all%20updates%20for%207%20days%20and%20the%20quality%20update%20deadline%20is%20set%20to%202%20days%2C%20as%20soon%20as%20the%20pause%20period%20is%20over%20on%20day%207%2C%20the%20deadline%20kicks%20in%20and%20the%20device%20will%20have%202%20days%20to%20download%2C%20install%2C%20and%20restart%20to%20complete%20the%20update.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ETo%20ensure%20a%20good%20user%20experience%20for%20devices%20that%20have%20been%20shut%20off%20for%20some%20time%2C%20as%20when%20a%20user%20of%20a%20device%20is%20on%20vacation%2C%20we%20strongly%20recommend%20setting%20a%3CSTRONG%3E%20grace%20period%3C%2FSTRONG%3E.%20The%20grace%20period%20is%20a%20buffer%20that%20prevents%20deadlines%20from%20immediately%20forcing%20a%20restart%20as%20soon%20as%20a%20device%20is%20turned%20on.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EWe%20also%20recommend%20leveraging%20the%20default%20automatic%20restart%20behavior.%20Windows%20has%20heuristics%20to%20analyze%20when%20the%20user%20interacts%20with%20the%20device%20to%20find%20the%20optimal%20time%20to%20automatically%20download%2C%20install%2C%20and%20restart.%20Allowing%20auto-restart%20can%20therefore%20improve%20your%20patch%20compliance%20while%20maintaining%20a%20good%20end%20user%20experience.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EWe%20recommend%20the%20following%20settings%20for%20deadline%20policies.%20You%20can%20find%20these%20policies%20in%20Group%20Policy%20under%20%3CSTRONG%3EComputer%20Configuration%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EAdministrative%20Templates%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EWindows%20Components%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EWindows%20Update%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3ESpecify%20deadlines%20for%20automatic%20updates%20and%20restarts%3C%2FSTRONG%3E%20or%20the%20CSP%20name%20listed%20for%20each%20policy%20setting%20below.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3E%3CSTRONG%3EQuality%20updates%20(days)%3A%3C%2FSTRONG%3E%200-7%20(%3CSTRONG%3E3%3C%2FSTRONG%3E%20days%20is%20the%20recommended%20configuration)%3CBR%20%2F%3E%3CEM%3ECSP%20name%3A%20Update%2FConfigureDeadlineForFeatureUpdates%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3E%3CSTRONG%3EFeature%20update%20(days)%3A%3C%2FSTRONG%3E%200-14%20(%3CSTRONG%3E7%3C%2FSTRONG%3E%20days%20is%20the%20recommended%20configuration)%3CBR%20%2F%3E%3CEM%3ECSP%20name%3A%20Update%2FConfigureDeadlineForQualityUpdates%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3E%3CSTRONG%3EGrace%20period%20(days)%3A%3C%2FSTRONG%3E%200-3%20(%3CSTRONG%3E2%20%3C%2FSTRONG%3Edays%20is%20the%20recommended%20configuration)%3CBR%20%2F%3E%3CEM%3ECSP%20name%3A%20Update%2FConfigureDeadlineGracePeriod%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FEM%3E%3CTABLE%20style%3D%22background-color%3A%20%23deeaf6%3B%22%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22100%25%22%3E%3CP%20style%3D%22margin%3A%2010px%3B%22%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%20We%20strongly%20recommend%20the%20sum%20of%20a%20feature%20update%2Fquality%20update%20deadline%20and%20the%20grace%20period%20to%20be%20no%20less%20than%202.%20Setting%20a%20value%20lower%20than%202%20can%20cause%20a%20poor%20end%20user%20experience%20due%20to%20the%20aggressive%20timeline.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3E%3CSTRONG%3EAuto-restart%3A%3C%2FSTRONG%3E%20Disabled%20is%20the%20recommended%20configuration.%3CBR%20%2F%3E%3CEM%3ECSP%20name%3A%20Update%2FConfigureDeadlineNoAutoReboot%3C%2FEM%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%20of%20where%20you%20can%20set%20deadlines%20for%20automatic%20updates%20and%20restarts%20using%20Group%20Policy%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F247658i3DD99CFFF49BA8D4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22deadlines-grace-period.png%22%20alt%3D%22How%20to%20set%20deadlines%20for%20automatic%20updates%20and%20restarts%20using%20Group%20Policy%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EHow%20to%20set%20deadlines%20for%20automatic%20updates%20and%20restarts%20using%20Group%20Policy%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EFor%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fdeployment%2Fupdate%2Fwufb-compliancedeadlines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEnforcing%20compliance%20deadlines%20for%20updates%3C%2FA%3E%20in%20Windows%20Update%20for%20Business.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-1936597140%22%20id%3D%22toc-hId-1936597140%22%20id%3D%22toc-hId-1936597140%22%20id%3D%22toc-hId-1936597140%22%20id%3D%22toc-hId-1936597140%22%20id%3D%22toc-hId-1936597140%22%20id%3D%22toc-hId-1936597140%22%20id%3D%22toc-hId-1936597140%22%20id%3D%22toc-hId-1936597140%22%20id%3D%22toc-hId-1936597140%22%20id%3D%22toc-hId-1936597140%22%20id%3D%22toc-hId-1936597140%22%3EMake%20sure%20automatic%20updates%20are%20set%20up%20correctly%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EAutomatic%20updates%20are%20another%20policy%20where%20misconfigurations%20affect%20patch%20compliance.%20Within%20the%20%3CSTRONG%3EConfigure%20Automatic%20Updates%3C%2FSTRONG%3E%20policy%20in%20Group%20Policy%20(see%20below%20for%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fconfiguration%2Fprovisioning-packages%2Fhow-it-pros-can-use-configuration-service-providers%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfiguration%20service%20provider%20(CSP)%3C%2FA%3E%20equivalent)%2C%20you%20can%20define%20when%20and%20if%20to%20require%20end%20user%20interaction%20during%20the%20update%20process.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EAs%20a%20rule%20of%20thumb%2C%20requiring%20end%20user%20approval%20of%20updates%20negatively%20impacts%20patch%20compliance%20and%20success%20rates%20by%20a%20significant%20percentage.%20To%20simplify%20the%20update%20process%2C%20we%20therefore%20recommend%20either%20not%20configuring%20this%20policy%20at%20all%20or%2C%20if%20configured%2C%20selecting%20%3CSTRONG%3E%E2%80%9C4%20%E2%80%93%20Auto%20download%20and%20schedule%20the%20install.%E2%80%9D%3C%2FSTRONG%3E%20This%20allows%20the%20update%20to%20download%20and%20install%20silently%20in%20the%20background%20and%20only%20notifies%20the%20user%20once%20it%20is%20time%20to%20restart.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EWe%20also%20recommend%20setting%20the%20scheduled%20installation%20time%20to%20%E2%80%9C%3CSTRONG%3EAutomatic%3C%2FSTRONG%3E%2C%E2%80%9D%20rather%20than%20a%20specific%20time%20to%20restart%2C%20as%20the%20device%20will%20then%20fall%20back%20to%20the%20configured%20restart%20policies%2C%20such%20as%20active%20hours%2C%20to%20find%20the%20optimal%20time%20to%20schedule%20the%20restart%20(like%20when%20the%20user%20is%20away).%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EWe%20strongly%20recommend%20not%20requiring%20the%20end%20user%20to%20approve%20updates%20for%20the%20smoothest%20update%20process%20as%20this%20can%20create%20bottlenecks%20in%20the%20update%20process.%20This%20includes%20avoiding%20configuring%20%E2%80%9C%3CSTRONG%3E2%20-%20Notify%20for%20download%20and%20auto%20install%3C%2FSTRONG%3E%E2%80%9D%20and%20%E2%80%9C%3CSTRONG%3E3%20-%20Auto%20download%20and%20notify%20for%20install%3C%2FSTRONG%3E.%E2%80%9D%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EIf%20you%20do%20choose%20to%20use%20values%3CSTRONG%3E%202%3C%2FSTRONG%3E%20or%20%3CSTRONG%3E3%3C%2FSTRONG%3E%2C%20the%20following%20policy%20conflicts%20may%20arise%20and%20prevent%20updates%20from%20successfully%20being%20applied%20or%20may%20significantly%20degrade%20the%20end%20user%20experience.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EIf%20%22%3CSTRONG%3EConfigure%20Automatic%20Updates%3C%2FSTRONG%3E%E2%80%9D%20is%20set%20to%3CSTRONG%3E%202%3C%2FSTRONG%3E%20or%20%3CSTRONG%3E3%3C%2FSTRONG%3E%20and%3CBR%20%2F%3E%3CSTRONG%3E%22Remove%20access%20to%20use%20all%20Windows%20Update%20features%3C%2FSTRONG%3E%E2%80%9D%20is%20set%20to%20%3CSTRONG%3EEnabled%3C%2FSTRONG%3E%3A%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20end%20user%20will%20be%20unable%20to%20take%20action%20on%20Windows%20Update%20notifications%20and%20will%2C%20therefore%2C%20be%20unable%20to%20download%20or%20install%20the%20update%20before%20the%20deadline.%20When%20the%20deadline%20is%20reached%2C%20the%20update%20will%20automatically%20be%20downloaded%20and%20installed.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EIf%20%22%3CSTRONG%3EConfigure%20Automatic%20Updates%3C%2FSTRONG%3E%E2%80%9D%20is%20set%20to%3CSTRONG%3E%202%3C%2FSTRONG%3E%20or%20%3CSTRONG%3E3%3C%2FSTRONG%3E%20and%3CBR%20%2F%3E%3CSTRONG%3E%22%3C%2FSTRONG%3E%20%3CSTRONG%3EDisplay%20options%20for%20update%20notifications%3C%2FSTRONG%3E%E2%80%9D%20is%20set%20to%20%3CSTRONG%3E(2)%20Disable%20all%20notifications%20including%20restart%20notifications%3C%2FSTRONG%3E%3A%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20end%20user%20will%20not%20see%20notifications%20and%2C%20therefore%2C%20cannot%20take%20action%20without%20going%20to%20the%20Windows%20Update%20Settings%20page.%20Thus%2C%20the%20user%20will%20be%20unlikely%20to%20download%20or%20install%20the%20update%20before%20the%20deadline%20at%20which%20time%20the%20device%20will%20be%20forced%20to%20restart%20without%20any%20warning.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%20of%20where%20you%20can%20configure%20automatic%20update%20settings%20using%20Group%20Policy%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F247659i9033574D19A24D5B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22configure-automatic-updates.png%22%20alt%3D%22How%20to%20configure%20automatic%20update%20settings%20using%20Group%20Policy%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EHow%20to%20configure%20automatic%20update%20settings%20using%20Group%20Policy%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EThe%20CSP%20equivalent%20of%20the%20above%20recommended%20configurations%20for%20%22%3CSTRONG%3EConfigure%20Automatic%20Updates%3C%2FSTRONG%3E%22%20in%20Group%20Policy%20would%20be%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EUpdate%2FAllowAutoUpdate%20%3D%202%20(Auto%20install%20and%20restart.%20Updates%20are%20downloaded%20automatically%20and%20installed%20when%20the%20device%20is%20not%20in%20use.)%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EUpdate%2FScheduledInstallDay%20%3D%200%20(Every%20day)%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EUpdate%2FScheduledInstallEveryWeek%20%3D%201%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EOr%20simply%20not%20configuring%20the%20policy%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-129142677%22%20id%3D%22toc-hId-129142677%22%20id%3D%22toc-hId-129142677%22%20id%3D%22toc-hId-129142677%22%20id%3D%22toc-hId-129142677%22%20id%3D%22toc-hId-129142677%22%20id%3D%22toc-hId-129142677%22%20id%3D%22toc-hId-129142677%22%20id%3D%22toc-hId-129142677%22%20id%3D%22toc-hId-129142677%22%20id%3D%22toc-hId-129142677%22%20id%3D%22toc-hId-129142677%22%3EEnsure%20that%20devices%20can%20check%20for%20updates%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EFrequently%2C%20we%20see%20the%20policies%20listed%20in%20this%20section%20misconfigured%20during%20the%20initial%20setup%20of%20a%20device%20and%20then%20never%20revisited.%20If%20left%20misconfigured%2C%20they%20can%20prevent%20devices%20from%20updating.%20As%20a%20result%2C%20we%20recommend%20that%20you%20review%20the%20following%20policies%20to%20ensure%20they%20are%20configured%20correctly.%20You%20can%20find%20these%20policies%20in%20Group%20Policy%20under%20%3CSTRONG%3EComputer%20Configuration%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EAdministrative%20Templates%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EWindows%20Components%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EWindows%20Update%3C%2FSTRONG%3E%20or%20the%20Update%20Policy%20CSP%20listed%20for%20each%20policy%20setting%20below.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSTRONG%3EDo%20not%20allow%20update%20deferral%20policies%20to%20cause%20scans%20against%20Windows%20Update%3CBR%20%2F%3E%3C%2FSTRONG%3E%3CEM%3ECSP%20name%3A%20Update%2FDisableDualScan%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EIf%20a%20device%20is%20configured%20to%20receive%20updates%20from%20Windows%20Update%2C%20including%20DualScan%20devices%2C%20make%20sure%20this%20policy%20is%20%3CU%3Enot%3C%2FU%3E%20set%20to%20%3CSTRONG%3EEnabled%3C%2FSTRONG%3E.%20To%20clean%20out%20the%20policy%2C%20we%20recommend%20you%20set%20this%20policy%20to%20%3CSTRONG%3EDisabled%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSTRONG%3ESpecify%20intranet%20Microsoft%20update%20service%20location%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CEM%3ECSP%20name%3A%20Update%2FAllowUpdateService%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EWe%20see%20a%20significant%20number%20of%20devices%20unable%20to%20update%20due%20to%20bad%20Windows%20Server%20Update%20Services%20(WSUS)%20server%20addresses%2C%20often%20because%20a%20replacement%20WSUS%20server%20is%20provisioned%20with%20a%20different%20name.%20As%20a%20result%2C%20double-check%20to%20ensure%20that%20the%20WSUS%20server%20address%20is%20up%20to%20date.%20Devices%20that%20are%20misconfigured%20to%20ping%20an%20address%20that%20is%20expired%20or%20no%20longer%20in%20service%20won%E2%80%99t%20receive%20updates.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EAdditionally%2C%20scan%20failures%20can%20occur%20when%20devices%20require%20user%20proxy%20to%20scan%20their%20configured%20WSUS%20server%20and%20do%20not%20have%20the%20proper%20proxy%20policy%20configured.%20for%20proxy%20scenarios%2C%20see%20Scan%20changes%20and%20certificates%20add%20security%20for%20Windows%20devices%20using%20WSUS%20for%20updates.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--1678311786%22%20id%3D%22toc-hId--1678311786%22%20id%3D%22toc-hId--1678311786%22%20id%3D%22toc-hId--1678311786%22%20id%3D%22toc-hId--1678311786%22%20id%3D%22toc-hId--1678311786%22%20id%3D%22toc-hId--1678311786%22%20id%3D%22toc-hId--1678311786%22%20id%3D%22toc-hId--1678311786%22%20id%3D%22toc-hId--1678311786%22%20id%3D%22toc-hId--1678311786%22%20id%3D%22toc-hId--1678311786%22%3EConfigure%20policies%20to%20ensure%20a%20good%20end%20user%20experience%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EThe%20following%20policies%20can%20negatively%20affect%20your%20end%20user%20experience%3A%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSTRONG%3ERemove%20access%20to%20%E2%80%9CPause%20updates%E2%80%9D%20feature%3CBR%20%2F%3E%3C%2FSTRONG%3E%3CEM%3ECSP%20name%3A%20Update%2FSetDisablePauseUXAccess%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EEnabling%20this%20policy%20can%20benefit%20your%20monthly%20adoption%20rate%2C%20but%20also%20prevents%20users%20from%20pausing%20updates%20when%20necessary.%20If%20you%20have%20set%20deadlines%20that%20may%20cause%20a%20mandatory%20restart%2C%20disabling%20this%20policy%20will%20give%20end%20users%20the%20power%20to%20protect%20their%20work.%20For%20example%2C%20if%20a%20device%20is%20in%20the%20middle%20of%20a%20process%20that%20must%20run%20for%20consecutive%20days%2C%20the%20end%20user%20may%20want%20to%20make%20sure%20that%20their%20device%20is%20not%20forced%20to%20restart%20during%20the%20process.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSTRONG%3ERemove%20access%20to%20use%20all%20Windows%20Update%20features%3CBR%20%2F%3E%3C%2FSTRONG%3E%3CEM%3ECSP%20name%3A%20Update%2FSetDisableUXWUAccess%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ELeveraging%20this%20policy%20will%20remove%20the%20end%20user's%20ability%20to%20use%20the%20Windows%20Update%20Settings%20page.%20This%20includes%20their%20ability%20to%20check%20for%20updates%20or%20interact%20with%20notifications%2C%20and%20can%20lead%20to%20policy%20conflicts.%20Note%20that%2C%20if%20this%20policy%20is%20left%20alone%2C%20checking%20for%20updates%20simply%20prompts%20a%20scan%20and%20does%20not%20change%20what%20the%20user%20is%20offered%20if%20you%20have%20configured%20Windows%20Update%20for%20Business%20offering%20policies%20on%20the%20device.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSTRONG%3EDisplay%20options%20for%20update%20notifications%3CBR%20%2F%3E%3C%2FSTRONG%3E%3CEM%3ECSP%20Name%3A%20Update%2FUpdateNotificationLevel%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EWe%20recommend%20this%20setting%20is%20configured%20to%20%3CSTRONG%3E0%20(default)%3C%2FSTRONG%3E.%20If%20set%20to%20%3CSTRONG%3E1%20%3C%2FSTRONG%3Eor%20%3CSTRONG%3E2%3C%2FSTRONG%3E%2C%20this%20setting%20will%20disable%20all%20restart%20warnings%20or%20all%20restart%20notifications%2C%20limiting%20the%20visibility%20that%20your%20end%20user%20has%20to%20an%20upcoming%20restart.%20This%20can%20result%20in%20restarts%20happening%20while%20the%20end%20user%20is%20present%20with%20no%20notifications%20due%20to%20the%20deadline%20being%20reached.%20Enabling%20this%20policy%20is%20recommended%20for%20kiosk%20or%20digital%20signage%20devices%20only.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-809201047%22%20id%3D%22toc-hId-809201047%22%20id%3D%22toc-hId-809201047%22%20id%3D%22toc-hId-809201047%22%20id%3D%22toc-hId-809201047%22%20id%3D%22toc-hId-809201047%22%20id%3D%22toc-hId-809201047%22%20id%3D%22toc-hId-809201047%22%20id%3D%22toc-hId-809201047%22%20id%3D%22toc-hId-809201047%22%20id%3D%22toc-hId-809201047%22%20id%3D%22toc-hId-809201047%22%3EApply%20recommendations%20with%20the%20Update%20Baseline%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ETo%20implement%20the%20recommendations%20outlined%20above%2C%20we%20provide%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fdeployment%2Fupdate%2Fupdate-baseline%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUpdate%20Baseline%3C%2FA%3E%20tool%20which%20allows%20you%20to%20import%20our%20full%20set%20of%20Windows%20update%20policy%20recommendations%20into%20Group%20Policy%20Management%20Center.%20The%20Update%20Baseline%20toolkit%20is%20currently%20only%20available%20for%20Group%20Policy.%20A%20Microsoft%20Intune%20solution%20to%20apply%20the%20Update%20Baseline%20is%20coming%20soon.%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fdownload%2Fdetails.aspx%3Fid%3D101056%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDownload%20the%20Update%20Baseline%3C%2FA%3E%20and%20review%20the%20documentation%20included%20to%20view%20and%20apply%20our%20full%20list%20of%20policy%20configuration%20recommendations.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ETry%20out%20our%20policy%20recommendations%20for%20yourself%20to%20see%20how%20you%20can%20improve%20your%20patch%20velocity.%20Let%20us%20know%20what%20you%20think%20by%20commenting%20below%20or%20reaching%20out%20to%20me%20directly%20on%20Twitter%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fariaupdated%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%40ariaupdated%3C%2FA%3E.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2077328%22%20slang%3D%22en-US%22%3E%3CP%3EReview%20recommended%20Windows%20update%20policies%20that%20can%20accelerate%20update%20compliance%20and%20ensure%20a%20good%20end%20user%20experience.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2077328%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EServicing%20and%20updates%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETips%20and%20Tricks%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2084055%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20policy%20configuration%20mistakes%20for%20managing%20Windows%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2084055%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20article!%20It's%20helpful%20to%20know%20the%20Microsoft%20recommended%20update%20settings.%20I%20also%20downloaded%20the%20Update%20Baseline%20tool%20and%20am%20evaluating%20the%20GPO%20recommendations.%20Our%20company%20is%20trying%20to%20move%20away%20from%20GPO's%20and%20to%20use%20Intune%20policies%20instead.%20I%20imported%20the%20gpreport.xml%20to%20Intune%20GPO%20Analytics%2C%20but%20it%20shows%20that%20only%2055%25%20of%20the%20settings%20are%20Intune%20MDM%20Supported.%20Any%20chance%20the%20Intune%20team%20can%20work%20on%20adding%20support%20for%20all%20those%20settings%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2084187%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20policy%20configuration%20mistakes%20for%20managing%20Windows%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2084187%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F462187%22%20target%3D%22_blank%22%3E%40Ian55%3C%2FA%3E%26nbsp%3Bactually%20the%20reason%20it%20is%20such%20a%20low%20%25%20supported%20is%20because%20a%20lot%20of%20the%20things%20Update%20Baseline%20is%20setting%20is%20disabling%20policies%20or%20attempting%20to%20get%20the%20default%20behavior.%20Ideally%2C%20as%20stated%20in%20the%20article%20-%20you%20just%20leverage%20the%20default%20behavior%20and%20then%20only%20configure%20offering%20policies%20and%20deadlines.%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2085872%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20policy%20configuration%20mistakes%20for%20managing%20Windows%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2085872%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20Aria.%3C%2FP%3E%3CP%3EThat's%20quite%20helpful%2C%20and%20you%20have%20no%20idea%20how%20convenient%20the%20timing%20is!%20At%20least%20the%20time%20when%20I%20found%20it%2C%20I'm%20not%20sure%20when%20it%20was%20written.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EEmanuel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2101993%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20policy%20configuration%20mistakes%20for%20managing%20Windows%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2101993%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20helpful%20but%20when%20will%20we%20have%20Baseline%20settings%20for%20Intune%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2116052%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20policy%20configuration%20mistakes%20for%20managing%20Windows%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2116052%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20this%20guidance.%26nbsp%3B%20We're%20making%20changes%20because%20of%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20significant%20typo%20-%20the%20CSP%20name%20for%20Feature%20and%20Quality%20deadlines%20appear%20to%20be%20reversed%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2166665%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20policy%20configuration%20mistakes%20for%20managing%20Windows%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2166665%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20our%20environment%20we%20have%20the%20following%20settings%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuality%20Updates%3A%202%20days%3C%2FP%3E%3CP%3EFeature%20Updates%3A%2021%20days%3C%2FP%3E%3CP%3EGrace%20Period%3A%207%20days%3C%2FP%3E%3CP%3EAuto%20download%20and%20schedule%20install%20update%3A%206am%20Don't%20autorestart%20until%20end%20of%20grace%20period%3A%20enabled%3C%2FP%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EFrom%20what%20I%20understand%20for%20Quality%20update%2C%20a%20restart%20is%20required%20after%20the%20automatic%20install%20at%206am%20which%20triggers%20the%207%20days%20grace%20period%20to%20kick%20in.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3EFor%20Feature%20updates%20a%20restart%20is%20never%20required.%20When%20it%20installs%20it%20restart%2C%20you%20never%20get%20a%20grace%20period%20but%20you%20get%20the%2021%20days%20of%20notifications%20from%20the%20deadline.%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EUnless%20in%20both%20cases%20you%20boot%20Windows%20past%20either%20deadline%2C%20you%20should%20get%20a%20grace%20period%20for%20both%3F%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20correct%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3EAlex%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2169660%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20policy%20configuration%20mistakes%20for%20managing%20Windows%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2169660%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68669%22%20target%3D%22_blank%22%3E%40Alexandre%20Gauthier%3C%2FA%3E%26nbsp%3Bthanks%20for%20reaching%20out.%20Grace%20period%20actually%20applies%20for%20both%20feature%20updates%20and%20quality%20updates.%20Note%2C%20in%20either%20case%20when%20restart%20is%20pending%20(for%20a%20feature%20or%20quality%20update)%20the%20end%20user%20will%20have%20the%20grace%20period%20length%20of%20time%20to%20update%20before%20the%20deadline%20is%20forced.%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorAria%20Carley_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2169662%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20policy%20configuration%20mistakes%20for%20managing%20Windows%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2169662%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22Eq_5aMLUcAAWJGQ.png%22%20style%3D%22width%3A%20814px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F258485i839256DD28694AB5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Eq_5aMLUcAAWJGQ.png%22%20alt%3D%22This%20is%20a%20detailed%20description%20of%20the%20compliance%20deadline%20behavior.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EThis%20is%20a%20detailed%20description%20of%20the%20compliance%20deadline%20behavior.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jan 19 2021 07:58 PM
Updated by: