Microsoft: These are the Windows Update policies to use for your PCs (and rollercoasters)
Microsoft has detailed how you should use Windows Update policies to keep your devices updated and secure, from single-user devices right through to kiosks and billboards – and rollercoasters.
The tech giant’s first bit of advice for admins using Windows Group Policy to manage enterprise Windows 10 and Windows 11 devices is don’t mess too much with the defaults.
Admins shouldn’t try too hard to customize device security patching and feature updates because the defaults are “often the best”, according to Microsoft. This focus on defaults keeps users happy and productive, while ensuring devices are patched and up to date.
Admins can use Group Policy to control the timing of updates for Patch Tuesday, emergency patches, and new feature releases of Windows. The default for Windows Update in the enterprise is much like the experience for consumers on Windows PCs. But there are many other ways Windows and Windows Update is used to keep all manner of devices operational when needed and also patched regularly during downtime.
The default Windows Update policy is for devices to scan daily, automatically download and install any applicable updates “at a time optimized to reduce interference with usage, and then automatically try to restart when the end user is away,” according to Microsoft senior program manager Aria Carley.
“Leverage the defaults!” Carley said.
But there are so many use cases for Windows that the defaults can’t cover every scenario. Besides single-user personal Windows devices, there are: multi-user devices; education devices; kiosks and bank ATMs; factory machines, rollercoasters, and critical infrastructure; and Microsoft Teams Rooms devices.
While the defaults are a good baseline, Carley offers details about how to use Group Policy to tweak the timing of automatic updates for each use case. She’s also compiled a list of 25 Group Policy settings that admins should not use.
For use cases where Group Policy can be used, admins can specify “the number of days before an update is forced to install” during active hours, when the user may be present. This is applicable to single-user devices that could be connected to the corporate network or used remotely.
Microsoft recommends the use of deadlines because of heightened security risks from ransomware and destructive malware. The US Cybersecurity and Infrastructure Security Agency (CISA) is concerned destructive malware may target US organizations due to US sanctions on Russia over its invasion of Ukraine.
Multi-user devices like HoloLens or a PC in a lab or library setting may have set periods in which they are used, such as a building’s opening hours. Updating these at midnight, when staff are away, could be ideal.
For education device, admins can ensure Windows update notifications or automatic reboots don’t happen during the school day. To do this while remaining patched, admins can check the new Group Policy box option “Apply only during active hours”.
However, this feature is currently only for devices in the Windows Insider Program for Business in the Dev or Beta channels. Microsoft notes: “For those on Windows 10 or Windows 11, version 21H2 devices, we do not recommend configuring this and instead recommend leveraging the default experience.”
Another relevant Group Policy setting is “Turn off auto-restart for updates during active hours”, which overrides Microsoft’s default “intelligent active hours” – a measure that is calculated on the devices based on user usage.
For things like kiosks, billboards and ATMs, owners may wish for no notifications or auto reboots, and prefer to reboot during ‘low visibility’ hours. There are four relevant policies for these devices to avoid notifications that would be useless and disruptive to passive users, as well as reboots during typical active hours. Admins have an option to set the update to occur at 3AM daily, the assumed low visibility hour.
There are some devices that you might not think of as needing a Windows Update, but even admins of factory devices, rollercoasters and critical infrastructure also get advice around how to to manage automate update behavior if needed.
As Carley notes: “Machines on the factory floor, rollercoasters at amusement parks, and other critical infrastructure can all require updates. Given the criticality of these devices, it is pivotal that they stay secure, stay functional, and are not interrupted in the middle of a task. Often these are some of the devices in the final wave when rolling out an update after everything else has been validated.”
Carley adds: “Note: This is one of the only use cases where compliance deadlines are not recommended given automatic updates are never acceptable in this scenario.”