Roll out updates faster with the Update Baseline for Windows 10

Hi @TJ_Devine 

This would be great if it also included a script or other on applying this setting to an Intune policy for managing remote devices as well.

Are there plans to release an intune version?

Cheers

@TJ_Devine 

Whoever has created this wasted their time. This document contains the same old things that Microsoft has been parroting for the last ten years, plus some stuff that Microsoft has been parroting in the last five years. They are inapplicable, now that we don't use the workplace computers anymore.

In the meantime, COVID-19 and Microsoft seem to have entered a partnership and put up a joint effort to drive us insane. These days, were are running 12 computers at my place of residence! Installing Windows updates on them is very costly, considering to the consumer-grade Internet bandwidth that I can afford to buy. If KB4557957 is to be downloaded 12 times, it is 204MB×12=2448MB. This nothing for the enterprise-grade Internet. In the workplace, we consumed double this number daily, but at home, I cannot in good conscience call it cheap. If only I could schedule the downloading (not installing) to take place at certain ISP-designated hours, my costs would have been zero.

In the past, I configured all computers to delay automatic updating for a week. I received update notification via email. Then I downloaded those updates manually once and installed 12 times. Enter Windows 10 version 20H1: This ability has been silently removed. Do you know how frustrating it is?

@MasterMysterious Delivery optimization is a technology built into Windows 10 that helps with the bandwidth issue.  Your home PCs should have downloaded the updates once and then shared it among themselves.  You can see if this is working by launching Settings >> Updates >> Delivery Optimization (in the left side menu) >> (scroll down) >> Activity Monitor.

My PC is the only 2004 machine on my home LAN, so it's not a good example, but here is what it looks like.

@TJ_Devine 

I'm struggling to figure out how to defer Feature Updates for longer than 365 days.  If versions of Windows 10 are supported for 18/30 months, shouldn't we be able to defer for that amount of time?

@torquetechit_tonyd – Yes! We had the exact same thought. Intune integration is a priority and on our roadmap. Appreciate the feedback, and let us know how it works for you.

@Brandon Robert   – Actually as of last month, you can! The new target version policy will let you stay on a release, so long as it is supported, until you change the policy. This can be done via Intune, Group Policies, or some other MDMs.  I know this isn’t the same approach as “defer update” but will hopefully give you the same result with as much or more control.

For Group Policy, the policy can be found under the Windows Update node > Windows Update for Business > Target Release Version. To do this, you will need to download the new 2004 ADMX template that was just published and apply the new policy, which will work for all devices on 1803 and above who took the May security update.

*note: This policy will take precedence over Feature Update deferrals, meaning that if Target Release Version is set Feature Update deferrals are irrelevant.

@TJ_Devine  - I am thinking this can be done using a Custom policy based on ingesting the relevant ADMX into Intune and then apply the settings using OMA-URI.

@MasterMysterious Take a look at configuring Delivery Optimization on your systems (assuming they're not corporate devices) https://support.microsoft.com/en-us/help/4468254/windows-update-delivery-optimization-faq

If they're corporate devices, that configuration may need to be managed by your IT Group, and may already be configured (and not optimally for you at home)

@TheOtherJoshNo, thanks.

Am I the only one noticing that the download is missing the "Tools" folder which includes the necessary "MapGuidsToGpoNames.ps1" Script?

Its part of the Security Baselines...

@Brian Steingraber - That should have been fixed Wednesday afternoon.  Can you check and let me know if you still have an issue? 

@TJ_Devine 

Just tried, still not there.

The tools folder was removed because it wasn't needed and the script runs without the folder (the original file did refer to but not depend on a tools folder).  Please do let me know if you have any problems with the script. 

Hi,

"disable" and "do not configure" of the "Turn off auto-restart notification for update installation" works not the same.

If you "do not configure" the policy than "Show a notification when your PC requires a restart to finish updating" in "Update notification" is "On" and the user can change it. If you "disable" the policy "Show a notification when your PC requires a restart to finish updating" is "Off" and the user is not able to change it. 

Hi @Kazimierz Popinski ,

Not Configured and Disabled will have the same notification behavior (default). That being said, when the policy is explicitly set to Disabled, the admin has chosen the explicit value of the policy and therefore the user does not get a choice (so the toggle is taken away). When the policy is only Not Configured, the user is still offered the choice (defaulting to Off). In general, Disable prevents end users from actually changing the setting while Not Configured gives end users the option of changing the setting.

Hi @Kay_Toma 

does it mean that it is not possible to show the notifications and not allow the user to change it?

Because if I set the policy to Disable it will reset the choice to Off.

Does it exist the possibility to set per policy the choice to On or better to set the choice to On and to prevent the user to change it?

Regards,

Kazimierz

Krijg foutmelding: "Import-GPO : The term 'Import-GPO' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\username\UpdateBaseline\Scripts\Baseline-ADImport.ps1:28 char:5
+ Import-GPO -BackupId $guid -Path $GPOsDir -TargetName "$key" -Cre ...
+ ~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Import-GPO:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException"

Hi @Kazimierz Popinski ,

If you would like to show the auto-restart notifications and not allow users to change the setting, the policy should be set to Disabled.

If you would like to not show the auto-restart notifications and not allow users to change the setting, the policy should be set to Enabled.

Thanks,

Kay

Hi @softwaregeek ,

Are you running the command in a domain controller? The tool will not work on regular devices. If you would like to apply the baseline to a regular device (such as for testing) I would recommended using LGPO.

Best,

Kay

Hi @Kay_Toma , 

If I set the policy to Disabled the auto-restart notification is "Off" (system default) and the user can't change it.

Would you like to say that the "Off" (system default) doesn't mean that the user will not see the auto-restart notification?

What does it mean than?

Best,

Kazimierz

Hi,

I have an issue with the last Feature Update for Windows 10 (Bussiness Editions) Version 2004, en-us x64. We use WSUS.

The deadline policy doesn't work. Instead of the information about the deadline in Settings/Windows Update. There is a piece of information that "The Update is ready to install! We need your help deciding when to restart so we can finish up." and the system is waiting for the user interaction. The deadline policy for quality updates works on the computers es expected and the registry keys for Windows Update look fine. 

Any idea? Has something changed with the feature update for version 2004? 

Regards,

Kazimierz

Hi Kazimierz, 

I talked to some of the experts.  It sounds like you may have your Windows Updates configured to "notify to install" which is why the user would be prompted to install prior to the update being installed. Once deadline was reached the update would install automatically.

You can see this document for deadline behavior.

https://docs.microsoft.com/en-us/windows/deployment/update/wufb-compliancedeadlines

Hi @TJ_Devine ,

our policy ist not "notify to install" but "Auto download and schedule to install" and it works properly together with the deadline for the quality updates.

It also has worked for the feature update 1809-->1903 but it doesn't show the count downtime for the deadline for the feature update 1909-->2004.

Hi,

in the MSFT Windows Update Policy "Allow standby states (S1-S3)..." is "Enabled", but at the same time in the MSFT Windows 10 2004 - BitLocker Policy is the "Allow standby states (S1-S3)..." "Disabled". 

Regards,

Kazimierz