Does your business have a comprehensive plan for dealing with Windows updates? It's tempting to think of those downloads as an occasional nuisance, to be swatted away as they arrive. But dealing with updates in reactive fashion is a prescription for frustration and lost productivity.
The alternative is to create a management strategy for testing and deploying updates, so that the process becomes as routine as sending out invoices and closing the books each month.
This article includes all the information you need to understand how Microsoft delivers updates to devices running Windows 10, as well as details about the tools and techniques you can use to manage those updates intelligently on devices running Windows 10 Pro, Enterprise, or Education editions. (Windows 10 Home supports only the most basic update management features and is ill-suited for deployment in business settings.)
But before you touch any of those tools, you need a plan.
What's in your update policy?
The point of an update policy is to make the update process predictable, with procedures for notifying users so that they can plan their work accordingly and avoid unexpected downtime. It also includes protocols for dealing with unexpected issues, including rolling back failed updates.
A sensible update policy sets aside time for dealing with updates each month. In a small organization, this might be a designated maintenance window for every PC in the shop. Large organizations are less likely to embrace a one-size-fits-all policy and will benefit from dividing their PC population into update groups (Microsoft calls them "rings"), with different update strategies for each group.
The policy needs to address several distinct types of updates.
The most familiar are the monthly cumulative security and reliability updates that are delivered on the second Tuesday of each month (aka Patch Tuesday). The Patch Tuesday release typically also includes the Windows Malicious Software Removal Tool and may include any of the following additional types of updates:
- Security updates for .NET Framework
- Security updates for Adobe Flash Player
- Servicing stack updates (which must be installed before other updates)
Installation of any or all those updates can be deferred for up to 30 days using Windows Update for Business policy settings.
Depending on the PC manufacturer, hardware drivers and firmware updates can also be delivered through Windows Update. You can opt out of this category of updates or manage them using the same settings that apply to other updates.
Finally, feature updates are also delivered via Windows Update. These large packages update Windows 10 to the latest version and are released every six months for all Windows editions except the Long Term Servicing Channel (LTSC) releases. You can defer installation of feature updates by up to 365 days using Windows Update for Business; additional deferrals of up to 30 months are available for Enterprise and Education editions.
With that background, you can now begin assembling an update policy, which should include the following elements for each managed PC:
- When to install monthly updates: Using the default Windows settings, monthly updates are downloaded and installed within 24 hours of their release on Patch Tuesday. You might choose to defer these downloads for some or all PCs in your organization so that you have time to test the updates for compatibility; this delay also allows you to avoid being affected if Microsoft identifies an issue with an update, as has happened on multiple occasions with Windows 10.
- When to install semi-annual feature updates: Using the default Windows settings, feature updates are offered for downloading and installation when Microsoft says they're ready. On a device that Microsoft assesses as well suited for the update, the feature update announcement might arrive within days of its release. For other devices, that availability might be months later or the update might be blocked indefinitely because of a compatibility issue. You can use Windows Update for Business to choose a target feature update for some or all PCs in your organization; you can also specify a delay to allow time for testing the new release. Beginning with version 1903, users of unmanaged PCs will be offered feature updates, but those will only be downloaded and installed if the user specifically requests it or if the current Windows 10 version has reached the end of its support period.
- When to allow PCs to restart to complete installation of updates: Most updates require a restart to complete installation. This restart occurs outside of the default Active Hours setting of 8am to 5pm; you can change this setting to an interval of your choosing, up to 18 hours. Using management tools, you can set specific times to download and install updates.
- How to notify PC users of pending updates and restarts: To avoid unpleasant surprises, Windows 10 notifies users when updates are pending. You have limited control over these notifications from within Windows 10 Settings. Significantly more options are available using Group Policy settings.
- How to handle out-of-band updates: Occasionally, Microsoft releases critical security updates outside of its normal Patch Tuesday schedule. Typically, these are intended to address security vulnerabilities that are being exploited "in the wild." Do you accelerate deployment of these updates or wait until the next scheduled update window?
- How to handle update failures: In the event that an update fails to install or causes problems, what's your response plan?
After defining those elements, it's time to choose your management tool.
- Windows update problems: Microsoft reveals why recent patches broke some PCs
- Windows 10 Enterprise customers will now get Linux-like support
- Windows-as-a-service fail: Microsoft keeps customers in the dark
- Microsoft resumes rollout of Windows 10 version 1809, promises quality changes
Managing updates manually
In very small businesses, including one-person shops, it's easy enough to configure Windows Update manually. Start at Settings > Update & Security > Windows Update. There, you can adjust two groups of settings.
First, click Change Active Hours and adjust the settings to reflect your actual work habits. If you routinely work in the evenings, you can avoid downtime by configuring these values from 6am to midnight, thus ensuring that any scheduled restarts occur in the wee small hours of the morning.
For version 1909 and earlier, click Advanced Options and adjust the settings under the Choose When Updates Are Installed heading to reflect your policy.
- Choose how many days to delay installation of feature updates. The maximum value is 365 days.
- Choose how many days to delay installation of quality updates, including the cumulative security updates released on Patch Tuesday. The maximum value is 30 days.
Other settings on this page control the display of restart notifications (on by default) and whether to allow updates to download on metered connections (off by default).
For version 2004 and later, these options are removed. To set deferrals, you must adjust Group Policy settings, as described in the next section.
(Note that on Windows 10 versions before 1903 you might also see an option to choose a delivery channel: Semi-Annual Channel or the default Semi-Annual Channel [Targeted]. This option is removed as of version 1903, and the setting no longer has any practical effect on older Windows 10 versions.)
Of course, the point of delaying updates is not simply to kick the can down the road so that you (and your users) can be surprised later in the month. If you set a delay of 15 days for quality updates, for example, you should use that time to test updates for compatibility, and schedule your maintenance window for a convenient time before the 15-day deferral period expires.
Managing updates using Group Policy
All the manual settings listed in the previous section can also be applied using Group Policy, and the full list of Windows Update-related Group Policy settings includes a number of options that go well beyond what's available in Settings.
You can apply these settings to individual PCs using the Local Group Policy Editor, Gpedit.msc, or using scripts. But the most common use is in a Windows domain with Active Directory, where you can push combinations of policies to groups of PCs.
A significant number of policies are exclusively for Windows 10. The most important are those associated with the Windows Update for Business feature, which are located in Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business.
- Select when Preview Builds and Feature Updates are received: Choose a servicing channel and set delays for feature updates.
- Select when Quality Updates are received: Set delays for monthly cumulative updates and other security-related updates.
- Manage preview builds: Specify whether users can join a machine to the Windows Insider Program and, if enabled, specify the Insider ring.
- Select the target Feature Update version: Choose a specific feature update version that you want Windows Update to request in subsequent scans. Note that Windows Update might override this request if the specified version is at or near the end of its support window.
An additional group of policies are in Computer Configuration > Administrative Templates > Windows Components > Windows Update.
- Remove access to "Pause updates" feature: Prevent users from interfering with installation of updates by removing the option to pause updates for up to 35 days.
- Remove access to use all Windows Update features: Prevent users from changing any Windows Update settings.
- Allow updates to be downloaded automatically over metered connections: Allow updates to be installed on devices using a metered connection such as an LTE connection.
- Do not include drivers with Windows Updates: Prevent Windows Update from installing device drivers.
The following settings, all specific to Windows 10, apply to restarts and notifications:
- Turn off auto-restart for updates during active hours: Ensure that devices don't restart to install updates during normal working hours.
- Specify active hours range for auto-restarts: Change the default active hours settings.
- Specify deadline before auto-restart for update installation: Choose a deadline (between 2 and 14 days) after which a restart to apply updates will be automatic.
- Configure auto-restart reminder notifications for updates: Increase the time prior to a scheduled restart when the user is notified. Acceptable values are 15 minutes (default) to 240 minutes.
- Turn off auto-restart notifications for update installations: Completely disable restart notifications.
- Configure auto-restart required notification for updates: Prevent notifications from disappearing after 25 seconds and instead require the user to dismiss.
- Do not allow update deferral policies to cause scans against Windows Update: Use this policy to prevent PCs from checking Windows Update when a deferral is assigned.
- Specify Engaged restart transition and notification schedule for updates: Use this policy to allow users to schedule restarts and "snooze" restart reminders.
- Configure auto-restart warning notifications schedule for updates: Configure reminders of automatic restarts (from 4 to 24 hours) and warnings of imminent restarts (from 15 to 60 minutes).
- Update power policy for Cart Restarts: This policy is for educational systems that remain on carts overnight and allows updates to be installed even on battery power.
- Display options for update notifications: Use these settings to completely disable update notifications with the option to include or exclude restart warnings.
The following policies apply to Windows 10 as well as some older Windows versions:
- Configure Automatic Updates: This powerful group of settings allows you to specify a consistent weekly, bi-weekly, or monthly update schedule, with the option to specify the day and time during which all available updates are automatically downloaded and installed.
- Specify intranet Microsoft update service location: Use this policy to configure a Windows Server Update Services (WSUS) server on a Windows domain network. (See the following section for more on this option.)
- Enable client-side targeting: This setting allows administrators to use Active Directory security groups to define deployment rings when using WSUS.
- Do not connect to any Windows Update Internet locations: On PCs that are connected to a local update server, prevent any connections to outside update servers, including Microsoft Update and the Microsoft Store.
- Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates: Enables the system to wake up a machine and install updates; the system will wake up only if updates are available. If the device is running on battery power, it will not install updates and will go back to sleep within 2 minutes.
- Always automatically restart at the scheduled time: Use this setting to configure a timer (15 minutes to 180 minutes) and automatically restart after installing updates, rather than notifying users.
- No auto-restart with logged on users for scheduled automatic updates installations: This policy overrides the previous policy and prevents restarts when users are signed in.
Enterprise management tools
For large organizations that have an existing Windows network infrastructure, it's possible to bypass Microsoft's update servers and deploy updates from a locally managed server instead. This capability requires significant attention from a corporate IT department, but it pays off in terms of flexibility. The two most popular options are Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM).
WSUS is the simpler of the two options. It runs as a Windows Server role and provides a central store for Windows updates within an organization. Using Group Policy, a network administrator points Windows 10 PCs to the WSUS server, which serves as the single source of downloads for the entire organization. From the WSUS administration console, administrators can approve updates and choose when to deliver them to individual client PCs or groups. PCs can be assigned to groups manually, or you can use client-side targeting to deliver updates based on existing Active Directory security groups.
Because Windows 10 cumulative update files grow progressively larger with each new release, the amount of bandwidth that updates use can be significant. WSUS servers can conserve bandwidth by using a feature called Express Installation Files, which requires more space on the WSUS server but dramatically reduces the size of update files sent to client PCs.
On servers running WSUS 4.0 or later, you can also manage and deploy Windows 10 feature updates.
The second option, System Center Configuration Manager, uses the powerful Configuration Manager for Windows, in combination with WSUS, to deploy quality and feature updates. A Windows 10 servicing dashboard lets network administrators monitor Windows 10 usage across the network and create group-based servicing plans that include information about PCs as they near their end of support life.
For organizations that already have deployed Configuration Manager to manage earlier Windows versions, adding support for Windows 10 is a fairly straightforward task.