Microsoft will make business patching a bit easier

Topic

New Reply

PATCH WATCH By Susan Bradley As I look over the September updates on this smoky, orange-colored day, I see some interesting changes coming for busines
[See the full post at: Microsoft will make business patching a bit easier]

3 users thanked author for this post.

abbodi86, Fred, woody

Reply | Quote

Replies

A question about deferring updates via Group Policy “Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business/Select when Quality Updates are received“…

In your 3/2/20 article “Questions on controlling Windows 10 updating”, you recommended setting Group Policy “Computer Configuration/Administrative Templates/Windows Components/Windows Update/Configure Automatic Updates” as follows:

Select “Enabled”
Select “4 – Auto download and schedule the install”
Check “Install during automatic maintenance”
Schedule install day and select a day of the week
Schedule install time
Check “Third (or Fourth) week of the month”
Check “Install updates for other Microsoft products”

If I also enable Group Policy “Select when Quality Updates are received“, and set the number of days to 30, will that conflict with Group Policy “Configure Automatic Updates“?

My desired outcome is to delay each set of Patch Tuesday updates until one or two days prior to the following Patch Tuesday.

Also, PKCano recommends setting Group Policy “Configure Automatic Updates” to “2 – Notify for download and auto install”. Would that setting help avoid possible conflict with Group Policy “Select when Quality Updates are received“?

Reply | Quote

The settings in AKB2000016 Guide for Windows Update Settings for Win10 are aimed at consumers, not business. That is stated at the very top of the Guide.

The “2” in Group Policy leaves the updates waiting in the WU queue and the update time is left to the User of the computer, not a business IT scheduled maintenance window. Susan’s recommendations are for the Business environment where control of updating, by necessity, needs to be by a management schedule. This is a completely different ballgame.

Reply | Quote

So, is the best way to delay each set of Patch Tuesday updates for 4 weeks to set policy “Configure Automatic Updates” to “2 – Notify for download and auto install”, leaving policy “Select when Quality Updates are received” alone (disabled), and then manually select “Settings/Windows Update/Check for updates” each month on the Monday preceding Patch Tuesday?

If so, since I currently have policy “Configure Automatic Updates” set as described by Susan, if I revise that policy to “2 – Notify for download and auto install”, what will happen to the September updates? Will they be held until I manually check for updates, or will updating the policy result in the September updates being immediately installed? Would it be safer to wait a couple of weeks before revising the policy?

Reply | Quote

How you set the Policy depends entirely on how you want to handle updates. I have not used Susan’s settings because I am no longer dealing with IT restrictions. If you want to know how my recommendations work, they are outlined in AKB2000016 (linked above).

I want to personally be in control of updates. I want to know what’s out there, but I want to choose when and how I update. So I set Feature deferral to 365 days, then I can adjust that number to control which version and when I upgrade. I set Quality deferral to 0 (zero) days because I want to see which updates are being offered as soon as they are released (so I can hide what I don’t want). I set the “2” notify download/install so I can download/install manually at a time of my choosing. That’s my outline and I have set WU to follow it. But that’s not a business environment where there are update policies and time constraints.

The first thing that needs to be done, IMO, is to outline how you want Windows Update to work. Then make the settings follow your outline.

1 user thanked author for this post.

Bruce

Reply | Quote