Whether you are responsible for a single Windows 10 PC or thousands of enterprise PCs, your challenges for managing updates are the same. Your goals are to install security updates promptly, manage feature updates intelligently, and prevent unexpected restarts from cutting into productivity.
Does your business have a comprehensive plan for dealing with Windows updates? It’s tempting to think of those downloads as an occasional nuisance, to be swatted away as they arrive. But dealing with updates in reactive fashion is a prescription for frustration and lost productivity.
The alternative is to create a management strategy for testing and deploying updates, so that the process becomes as routine as sending out invoices and closing the books each month.
This article includes all the information you need to understand how Microsoft delivers updates to devices running Windows 10, as well as details about the tools and techniques you can use to manage those updates intelligently on devices running Windows 10 Pro, Enterprise, or Education editions. (Windows 10 Home does not support any update management features and is ill-suited for deployment in business settings.)
But before you touch any of those tools, you need a plan.
WHAT’S IN YOUR UPDATE POLICY?
The point of an update policy is to make the update process predictable, with procedures for notifying users so that they can plan their work accordingly and avoid unexpected downtime. It also includes protocols for dealing with unexpected issues, including rolling back failed updates.ADVERTISING
A sensible update policy sets aside time for dealing with updates each month. In a small organization, this might be a designated maintenance window for every PC in the shop. Large organizations are less likely to embrace a one-size-fits-all policy and will benefit from dividing their PC population into update groups (Microsoft calls them “rings”), with different update strategies for each group.
The policy needs to address several distinct types of updates.Want to leverage analytics? Get your data in orderListen to research analyst Mike Lock chat with IBM experts about the critical prerequisites for analytics success.Sponsored by IBM Podcast
The most familiar are the monthly cumulative security and reliability updates that are delivered on the second Tuesday of each month (aka Patch Tuesday). The Patch Tuesday release typically also includes the Windows Malicious Software Removal Tool and may include any of the following additional types of updates:
- Security updates for .NET Framework
- Security updates for Adobe Flash Player
- Servicing stack updates (which must be installed before other updates)
Installation of any or all those updates can be deferred for up to 30 days.
Depending on the PC manufacturer, hardware drivers and firmware updates can also be delivered through Windows Update. You can opt out of this category of updates or manage them using the same settings that apply to other updates.
Finally, feature updates are also delivered via Windows Update. These large packages update Windows 10 to the latest version and are released every six months for all Windows editions except the Long Term Servicing Channel (LTSC) releases. You can defer installation of feature updates by up to 365 days using Windows Update for Business; additional deferrals of up to 30 months are available for Enterprise and Education editions.
With that background, you can now begin assembling an update policy, which should include the following elements for each managed PC:
- When to install monthly updates: Using the default Windows settings, monthly updates are downloaded and installed within 24 hours of their release on Patch Tuesday. You might choose to defer these downloads for some or all PCs in your organization so that you have time to test the updates for compatibility; this delay also allows you to avoid being affected if Microsoft identifies an issue with an update, as has happened on multiple occasions with Windows 10.
- When to install semi-annual feature updates: Using the default Windows settings, feature updates are downloaded and installed when Microsoft says they’re ready. On a device that Microsoft assesses as well suited for the update, the feature update might arrive within days of its release. For other devices, the feature update might arrive months later or might even be blocked because of a compatibility issue. You can specify a delay for some or all PCs in your organization to allow time for testing the new release.
- When to allow PCs to restart to complete installation of updates: Most updates require a restart to complete installation. This restart occurs outside of the default Active Hours setting of 8am to 5pm; you can change this setting to an interval of your choosing, up to 18 hours. Using management tools, you can set specific times to download and install updates.
- How to notify PC users of pending updates and restarts: To avoid unpleasant surprises, Windows 10 notifies users when updates are pending. You have limited control over these notifications from within Windows 10 Settings. Significantly more options are available using Group Policy settings.
- How to handle out-of-band updates: Occasionally, Microsoft releases critical security updates outside of its normal Patch Tuesday schedule. Typically, these are intended to address security vulnerabilities that are being exploited “in the wild.” Do you accelerate deployment of these updates or wait until the next scheduled update window?
- How to handle update failures: In the event that an update fails to install or causes problems, what’s your response plan?
After defining those elements, it’s time to choose your management tool.
MANAGING UPDATES MANUALLY
In very small businesses, including one-person shops, it’s easy enough to configure Windows Update manually. Start at Settings > Update & Security > Windows Update. There, you can adjust two groups of settings.
First, click Change Active Hours and adjust the settings to reflect your actual work habits. If you routinely work in the evenings, you can avoid downtime by configuring these values from 6am to midnight, thus ensuring that any scheduled restarts occur in the wee small hours of the morning.
Next, click Advanced Options and adjust the settings under the Choose When Updates Are Installed heading to reflect your policy.
- Choose Semi-Annual Channel instead of the default Semi-Annual Channel (Targeted) to delay installation of feature updates until Microsoft has declared them ready for widespread business adoption (typically a minimum of two months).
- Choose how many days to delay installation of feature updates. The maximum value is 365 days.
- Choose how many days to delay installation of quality updates, including the cumulative security updates released on Patch Tuesday. The maximum value is 30 days.
Other settings on this page control the display of restart notifications (on by default) and whether to allow updates to download on metered connections (off by default).
Of course, the point of delaying updates is not simply to kick the can down the road so that you (and your users) can be surprised later in the month. If you set a delay of 15 days for quality updates, for example, you should use that time to test updates for compatibility, and schedule your maintenance window for a convenient time before the 15-day deferral period expires.
MANAGING UPDATES USING GROUP POLICY
All the manual settings listed in the previous section can also be applied using Group Policy, and the full list of Windows Update-related Group Policy settings includes a number of options that go well beyond what’s available in Settings.
You can apply these settings to individual PCs using the Local Group Policy Editor, Gpedit.msc, or using scripts. But the most common use is in a Windows domain with Active Directory, where you can push combinations of policies to groups of PCs.
A significant number of policies are exclusively for Windows 10. The most important are those associated with the Windows Update for Business feature, which are located in Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business.
- Select when Preview Builds and Feature Updates are received: Choose a servicing channel and set delays for feature updates.
- Select when Quality Updates are received: Set delays for monthly cumulative updates and other security-related updates.
- Manage preview builds: Specify whether users can join a machine to the Windows Insider Program and, if enabled, specify the Insider ring.
An additional group of policies are in Computer Configuration > Administrative Templates > Windows Components > Windows Update.
- Remove access to “Pause updates” feature: Prevent users from interfering with installation of updates by removing the option to pause updates for up to 35 days.
- Remove access to all Windows Update features: Prevent users from changing any Windows Update settings.
- Allow updates to be downloaded automatically over metered connections: Allow updates to be installed on devices using a metered connection such as an LTE connection.
- Do not include drivers with Windows Updates: Prevent Windows Update from installing device drivers.
The following settings, all specific to Windows 10, apply to restarts and notifications:
- Turn off auto-restart for updates during active hours: Ensure that devices don’t restart to install updates during normal working hours.
- Specify active hours range for auto-restarts: Change the default active hours settings.
- Specify deadline before auto-restart for update installation: Choose a deadline (between 2 and 14 days) after which a restart to apply updates will be automatic.
- Configure auto-restart reminder notifications for updates: Increase the time prior to a scheduled restart when the user is notified. Acceptable values are 15 minutes (default) to 240 minutes.
- Turn off auto-restart notifications for update installations: Completely disable restart notifications.
- Configure auto-restart required notification for updates: Prevent notifications from disappearing after 25 seconds and instead require the user to dismiss.
- Do not allow update deferral policies to cause scans against Windows Update: Use this policy to prevent PCs from checking Windows Update when a deferral is assigned.
- Specify Engaged restart transition and notification schedule for updates: Use this policy to allow users to schedule restarts and “snooze” restart reminders.
- Configure auto-restart warning notifications schedule for updates: Configure reminders of automatic restarts (from 4 to 24 hours) and warnings of imminent restarts (from 15 to 60 minutes).
- Update power policy for Cart Restarts: This policy is for educational systems that remain on carts overnight and allows updates to be installed even on battery power.
- Display options for update notifications: Use these settings to completely disable update notifications with the option to include or exclude restart warnings.