Microsoft: These are the Windows Update policies for your PCs (and roller coasters)

Microsoft has detailed how to use Windows Update policies to keep your devices up-to-date and secure, from single-user devices to kiosks and billboards — and roller coasters.

The tech giant’s first piece of advice for administrators using Windows Group Policy to manage Windows 10 and Windows 11 business devices is not to mess with the default settings too much.

Administrators shouldn’t try too hard to tweak security patches and feature updates, because the default settings are “often the best,” according to Microsoft. This focus on default settings keeps users happy and productive, while devices are patched and up to date.

SEE: Windows 11 Security: How to Protect Your Home and Small Business PCs

Administrators can use Group Policy to control the timing of Patch Tuesday updates, emergency patches, and new Windows feature releases. The standard for Windows Update in the enterprise is very similar to the consumer experience on Windows PCs. But there are many other ways that Windows and Windows Update are used to keep all kinds of devices operational when needed and also regularly patched during downtime.

The standard Windows Update policy is to scan devices daily, automatically download and install all applicable updates “at a time optimized to reduce interference with use, and then try to reboot automatically when the end user is away,” senior said. Microsoft program manager. Arie Carley.

“Use the default values!” said Carley.

But there are so many use cases for Windows that the default settings cannot cover every scenario. In addition to single-user personal Windows devices, there are: multi-user devices; teaching devices; kiosks and ATMs; factory machinery, roller coasters and critical infrastructure; and Microsoft Teams Rooms devices.

While the default settings are a good foundation, Carley provides details on how to use Group Policy to customize the timing of automatic updates for each use case. She also compiled a list of 25 Group Policy settings that administrators should not use.

For use cases where Group Policy can be used, administrators can specify “the number of days before an update is forced to install” during active hours, when the user is allowed to be present. This applies to single user devices that can be connected to the corporate network or used remotely.

Microsoft recommends the use of deadlines due to increased security risks from ransomware and destructive malware. The US Cybersecurity and Infrastructure Security Agency (CISA) is concerned that destructive malware could target US organizations as a result of US sanctions against Russia over its invasion of Ukraine.

Multi-user devices, such as HoloLens or a PC in a lab or library environment, can have fixed periods of use, such as building hours. It could be ideal to update it at midnight when the staff is away.

For educational devices, administrators can prevent Windows update notifications or automatic restarts from occurring during the school day. To do this while remaining patched, administrators can check the new Group Policy option “Only apply during active hours”.

However, this feature is currently only available for devices in the Windows Insider Program for Business in the Dev or Beta channels. Microsoft notes, “For those with Windows 10 or Windows 11, version 21H2 devices, we recommend not configuring this and using the default experience instead.”

Another relevant Group Policy setting is “Disable automatic restart for updates during active hours”, which overrides Microsoft’s default “intelligent active hours” – a measure calculated on the devices based on user usage.

SEE: How to talk about technology: five ways to get people interested in your new project

For things like newsstands, billboards, and ATMs, owners may not want notifications or automatic reboots, preferring to reboot during “poor visibility” hours. There are four relevant policies for these devices to avoid notifications that would be useless and disruptive to passive users, as well as reboots during typical active hours. Admins have an option to make the update happen daily at 3:00 AM, the assumed low visibility hour.

There are some devices that you might think don’t need Windows Update, but even factory device administrators, roller coasters, and critical infrastructure administrators also get advice on how to manage automatic update behavior when needed.

As Carley points out, “Factory floor machines, theme park roller coasters, and other critical infrastructure can all require updates. Given the critical nature of these devices, it is critical that they remain secure, remain functional, and are not interrupted in the middle of a task. Often these are some of the devices in the latest wave of rolling out an update after everything else has been validated.”

Carley added, “Note: This is one of the few cases where compliance deadlines are not recommended, as automatic updates are never acceptable in this scenario.”

Leave a Comment