Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Policies for update compliance, activity, and user experience
In this articleApplies to
Keeping devices up to date is the best way to keep them working smoothly and securely. Deadlines for update complianceYou can control how strictly devices must reliably keep to your desired update schedule by using update deadline policies. Windows components adapt based on these deadlines. Also, they can make tradeoffs between user experience and velocity in order to meet your desired update deadlines. For example, they can prioritize user experience well before the deadline approaches, and then prioritize velocity as the deadline nears, while still affording the user some control. DeadlinesBeginning with Windows 10, version 1903 and with the August 2019 security update for Windows 10, version 1709 and later (including Windows 11), a new policy was introduced to replace older deadline-like policies: Specify deadlines for automatic updates and restarts. The older policies started enforcing deadlines once the device reached a “restart pending” state for an update. The new policy starts the countdown for the update installation deadline from when the update is published plus any deferral. In addition, this policy includes a configurable grace period and the option to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic restarts for maximum update velocity). We recommend you set deadlines as follows:
Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you do not set any notification policies, because they are automatically configured with appropriate defaults. An exception is if you have kiosks or digital signage. While three days for quality updates and seven days for feature updates is our recommendation, you might decide you want more or less, depending on your organization and its requirements, and this policy is configurable down to a minimum of two days. Important If the device is unable to reach the Internet, it can't determine when Microsoft published the update, so it won't be able to enforce the deadline. Learn more about low activity devices. Grace periodsYou can set a period of days for Windows to find a minimally disruptive automatic restart time before the restart is enforced. This is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device will not be forced to update immediately when the user returns. We recommend you set the following:
Once the deadline and grace period have passed, updates are applied automatically, and a restart occurs regardless of active hours. Let Windows choose when to restartWindows can use user interactions to dynamically identify the least disruptive time for an automatic restart. To take advantage of this feature, ensure ConfigureDeadlineNoAutoReboot is set to Disabled. Device activity policiesWindows typically requires that a device is active and connected to the internet for at least six hours, with at least two of continuous activity, in order to successfully complete a system update. The device could have other physical circumstances that prevent successful installation of an update--for example, if a laptop is running low on battery power, or the user has shut down the device before active hours end and the device cannot comply with the deadline. You can use the settings in this section to ensure that devices are actually available to install updates during the update compliance period. Active hours"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts will occur outside of these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a user’s activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update. Important If you used the Configure Active Hours setting in previous versions of Windows 10, these options must be Disabled in order to take advantage of intelligent active hours. If you do set active hours, we recommend setting the following policies to Disabled in order to increase update velocity:
Important Older versions of Windows don't support intelligent active hours. If your device runs a version of Windows prior to Windows 10, version 1903, we recommend setting the following policies:
Power policiesDevices must actually be available during non-active hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs: To a user, a device is either on or off, but for Windows, there are states that will allow an update to occur (active) and states that do not (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update. You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during non-active hours. Note One way to ensure that devices can install updates when you need them to is to educate your users to keep devices plugged in during non-active hours. Even with the best policies, a device that isn't plugged in will not be updated, even in sleep mode. We recommend these power management settings:
Set the following policies to Enable or Do Not Configure in order to allow the device to use sleep mode:
Set the following policies to 1 (Sleep) so that when a user closes the lid of a device, the system goes to sleep mode and the device has an opportunity to take an update:
Note This does not apply to devices that support Modern Standby (S0 Low Power Idle). You can check which system sleep state (S3 or S0 Low Power Idle) a device supports by running The default timeout on devices that support traditional sleep is set to three hours. We recommend that you do not reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation:
Old or conflicting policiesEach release of Windows client can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions. Important If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are using an MDM tool (Microsoft or non-Microsoft), you can't use the new policy until it's available in the tool interface. As administrators, you have set up and expect certain behaviors, so we expressly do not remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected. Important We sometimes find that administrators set devices to get both Group Policy settings and MDM settings from an MDM server such as Microsoft Intune. Policy conflicts are handled differently, depending on how they are ultimately set up:
The following are policies that you might want to disable because they could decrease update velocity or there are better policies to use that might conflict:
There are additional policies are no longer supported or have been superseded. FeedbackSubmit and view feedback for Additional resourcesAdditional resourcesIn this articleWhat is a window stop error commonly called?A blue screen error (also called a stop error) can occur if a problem causes your device to shut down or restart unexpectedly.
Which of the following actions are you most likely to take in the event your mobile device has suffered unauthorized access via malware quizlet?Which of the following actions will you most likely take in the event your mobile device has suffered unauthorized access via malware? Reinstall apps, change your password, uninstall apps, restore from cloud backup.
What is the correct troubleshooting order when troubleshooting a software issue?The CompTIA troubleshooting methodology:
Identify the problem. Establish a theory of probable cause. Test the theory to determine the cause. Establish a plan of action to resolve the problem and implement the solution.
Which of the following tabs would you access in Internet option in order to manage add ons?Select Tools > Manage Add-ons. (Or choose Tools > Internet Options, click the Programs tab, then click Manage Add-ons.)
|