SOLVED

Help with GPO/Update settings - Auto Download, Auto Install, Defer Reboot for specific day/time

Copper Contributor

Hi MS Tech Community family.

 

I have been asked to setup a very specific update schedule using GPO whilst we seek other patching options.  As far as I can tell this isn't possible using GPO, however hope someone can prove me wrong.

 

I have been asked to setup the following.

 

  • All Updates, Including optional to Automatically download
  • All Updates to automatically install.
  • Notify Users that updates have been installed and are awaiting a reboot.
  • Remove the normal shutdown/restart options in start menu and replace with Update & Shutdown/Restart when updates have been installed.
  • Do not automatically reboot user machine until specific day of month/time (3rd Tuesday at 12noon)

 

4 Replies
- optional updates are NOT automatically downloaded unless you are in Release Preview. If you want to take every single optional update I'd recommend joining Release Preview.
- By default all updates that are automatically offered will download and install automatically.
- By default users will be shown a notification once pending reboot.
- Which shutdown/restart options? I am not sure what you are asking for here... or why?
- So you want to notify the user, but not actually force the reboot or automatically restart overnight until a specific day/time? That is possible, but really not recommended as it will both slow compliance and provide a worse end user experience. If you insist on doing this, then you can use Configure Automatic Updates and set "Schedule install" and configure to the day, time, week you want. Then don't set any other policies and the device will automatically download, install, notify the user, and only force the restart at that time. The only thing this doesn't accomplish is the "Remove normal shutdown/restart options", though partially since I am not sure what that means.

Hi @Aria Carley 

 

Thanks for getting back to me on this one. 

Let me clarify some of the points as I may not have explained myself correctly.

 

Optional Updates -  I mean standard updates + driver + application updates 

 

What the business is trying to achieve is the following.

 

  1. updates are downloaded and installed the day of release (every 2nd Tuesday of the month I believe)
  2. When a user attempts to shutdown or restart, they are forced to commit/apply the updates that have been installed
  3. Users that have not restarted or shutdown after updates have installed 7 days after the release are then forced to reboot (every 3rd Tuesday of the month at 12noon)
  4. Before the 7 day deadline no automatic reboots occur.

I hope that makes more sense.

Again if it is possible,  awesome!   However I think to get this level of granular control we may have to consider In-Tune/SCCM/Third-party??

 

Let me know what you think :)

best response confirmed by Chris_Coates (Copper Contributor)
Solution

Hi @Chris_Coates,

 

I'll let @Aria Carley respond to the core details here although deadlines will get you most of what you want (see Enforce compliance deadlines with policies in Windows Update for Business (Windows 10) - Windows Dep...). For your comment of possibly requiring Intune or ConfigMgr to accomplish this, keep in mind that Intune is just a policy engine for Windows Update for Business so doesn't add any actual capabilities for Windows update deployment although you could go overboard and create something custom using scripts or proactive remediations.

@Jason_Sandys(and @Aria Carley) Thankyou both for your replies.

   

I will have a good read over the policies you sent through and see if the business is happy to implement these.    I think you may have solved the issue.

 

Thankyou both for your help! 

1 best response

Accepted Solutions
best response confirmed by Chris_Coates (Copper Contributor)
Solution

Hi @Chris_Coates,

 

I'll let @Aria Carley respond to the core details here although deadlines will get you most of what you want (see Enforce compliance deadlines with policies in Windows Update for Business (Windows 10) - Windows Dep...). For your comment of possibly requiring Intune or ConfigMgr to accomplish this, keep in mind that Intune is just a policy engine for Windows Update for Business so doesn't add any actual capabilities for Windows update deployment although you could go overboard and create something custom using scripts or proactive remediations.

View solution in original post