Microsoft shares helpful Group Policy tutorials to get the most out of Windows Updates

Microsoft has shared a helpful reference for organizations to set appropriate Group Policy settings for various devices. These include:

• Single user or personal devices
• Multi-user devices
• Educational devices
• Kiosks and billboards
• Factory machines, roller coasters, and the like
• Microsoft Teams Room Device

However, the company recommends using the default settings for most use cases. The policy discussed here can be found here: Policy CSP - Update

Managing Single-User Devices

A single-user device is a user-owned or company-owned device that is used by one person . In addition to personal computing tasks, these devices can be used for mixed work activities, including meetings, presentations, and any number of other tasks. As with any of these tasks, interruptions can hinder productivity. Given that these devices are often connected to corporate networks and access sensitive information, they must remain secure. Given the increased need for security, some supporting strategies should be considered.

This situation may require:

• Reduce interruptions during the work day or when the device is actively used.
• Devices may not be removed during meetings and/or presentations.
• All data must be saved.
• Want to have some level of control over their devices.
• Devices must meet specific compliance standards.

Note: All requirements, except ensuring that the device meets specific compliance standards, are fulfilled through the default experience.

Policy	Description	When to set it and why
GP Name: Specify the deadline for automatic updates and restarts GP Setting Name: For quality updates: Deadline (days ), Grace period (days) For feature updates: Deadline (days), Grace period (days) CSP name: For quality updates: ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod For feature updates: ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineGracePeriodForFeatureUpdates	This policy allows you to specify the number of days before forcing updates to be installed on a device during active hours when the user may be present.	This policy is always recommended for commercial or educational environments that have compliance needs or are concerned with keeping devices secure. Note: From our perspective, safety is the most important, and deadlines are a great way to ensure safety.

Specify deadlines for automatic updates and restarts through policies

Multi-user devices

A multi-user device is a shared device that is used by multiple people over a period of time. This is a common situation, especially with devices like HoloLens or PCs used in lab or library environments. For these devices, there may be a period of use. For example, if they are powered overnight in a lab that does not allow access after 12am, then you can safely update them at that time. Additionally, you may not want end users to schedule updates because they may inconveniently schedule updates when another user is present, which would result in a poor experience.

This situation may require:

• Almost no notifications during use.
• It will not automatically restart during use.
• End users should not be able to schedule a reboot.
• Schedule automatic wake-up and restart at specific times.
• Keep your device safe and protected.

Note: Most of the above can be achieved through the default experience without configured policies. That said, if the default experience doesn't meet your needs, here's what you can consider.

Policy	Description	When to set it and why
GP name: Configure automatic updates GP setting name: Planned installation time: X time every day CSP Name: AllowAutoUpdate = 3, ScheduledInstallTime	This policy enables you to manage automatic update behavior. Schedule installation time (3) Limit the device to be installed at the specified time until the deadline is reached.	If no policy is configured, end users will get the default behavior (automatic installation and restart). If no date and time is specified, it defaults to 3 AM every day. This strategy is only recommended when a regular specific window exists when the multi-user device is not in use.
GP Name: Remove access to all Windows Update features GP Setting Name: Not applicable CSP Name: Update/SetDisableUXWUAccess	This policy will remove the end user's ability to scan, download, or install from the Windows Update settings page.	This policy is only recommended if your end users are configuring update settings that cause update behavior to disrupt other users of the shared device.
GP Name: Turn off auto-restart updates during active hours GP Setting Name : Active Hours: Start, End CSP Name: ActiveHoursStart, ActiveHoursEnd	This policy enables you to specify a time when the device should not restart. This overrides the default smart activity time calculated on the device based on user usage.	We recommend that you only utilize the default built-in smart activity time calculated on your device. That said, you can take advantage of this policy if you deem it necessary and if the device is allowed to be used for a period of time or reboots are not allowed. For example, if this is a device in a library or lab and you find that smart active times don't meet your needs, you may want to set the active times to the building's business hours to ensure the device doesn't update until it no longer use.
GP Name: Specify the expiration date for automatic updates and restarts GP Setting Name: For quality updates: Deadline (days), Grace Period (days) For feature updates: Deadline (days), Grace Period (days) CSP Name: For quality Updates: ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod For feature updates: ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineGracePeriodForFeatureUpdates	This policy allows you to specify the number of days before forcing an update to be installed on a device during active hours when the user may be present.	This policy is always recommended for commercial or educational environments that have compliance needs or are concerned with keeping devices secure. Note: From our perspective, safety is the most important, and deadlines are a great way to ensure safety.

Educational Devices

Educational devices are single-user or shared devices used by students and teachers in a school environment. This includes both personal devices and devices that may be stored in classroom computer carts for shared use. In this case, any form of notification can be extremely disruptive in a classroom environment.

This situation may require:

• No notification during class.
• It will not automatically restart during class.
• Keep your device safe and protected.

NOTE: While the default settings may not automatically restart during class, you may want to consider the following to ensure your device is protected and prevent notifications during class.

Policy	Description	When to set it and why
GP Name: Update display options for notifications GP Settings Name: Turn off notifications. Check the "Apply only during active hours" checkbox CSP Name: UpdateNotificationLevel, NoUpdateNotificationsDuringActiveHours (currently only in the active branch)	This policy allows you Define the Windows update notifications users see, including the ability to turn off all notifications, including restart warnings. "Apply only during active times" will cause the notification to be turned off only during active times.	The "Apply only during active hours" feature is new and currently only available for devices utilizing the Dev or Beta channels in the Windows Insider Program for Business. This policy allows you to turn off Windows Update notifications only during active hours. Please try it out in the Beta Channel and provide feedback! For users using Windows 10 or Windows 11 version 21H2 devices, we do not recommend configuring this option and instead recommend leveraging the default experience.
GP Name: Specify the expiration date for automatic updates and restarts GP Setting Name: For quality updates: Deadline (days), Grace Period (days) For feature updates: Deadline (days), Grace Period (days) CSP Name: For quality Updates: ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod For feature updates: ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineGracePeriodForFeatureUpdates	This policy allows you to specify the number of days before forcing an update to be installed on a device during active hours when the user may be present.	This policy is always recommended for commercial or educational environments that have compliance needs or are concerned with keeping devices secure. Note: From our perspective, safety is the most important, and deadlines are a great way to ensure safety.
GP Name: Turn off auto-restart updates during active hours GP Setting Name : Active Hours: Start, End CSP Name: ActiveHoursStart, ActiveHoursEnd	This policy enables you to specify a time when the device should not restart. This overrides the default smart activity time calculated on the device based on user usage.	We recommend that you only utilize the default built-in smart activity time calculated on your device. That said, you can take advantage of this policy if you deem it necessary and if the device is allowed to be used for a period of time or reboots are not allowed. For example, if this is a device in a library or lab and you find that smart active times don't meet your needs, you may want to set the active times to the building's business hours to ensure the device doesn't update until it no longer use.

Display options for end-user update notifications

Kiosks and billboards

Kiosks are simple user interfaces that can be used to complete specific tasks without training or documentation or obtain information. An example is an automated teller machine (ATM). These devices are often left unattended for long periods of time, meaning no end user can interact with them or trigger a reboot. Similarly, billboards that convey information are often designed to display or obtain interaction from end users, but without end users interacting with updates. However, these devices need to be kept secure and up to date, although end users won't be walking or driving by seeing a "Reboot Now" notification on their screen.

This situation may require:

• No notification.
• There is no automatic restart during certain periods.
• Schedule a reboot at a specific time during low visibility/usage situations.
• No end user interaction.

Note: By default, after installation is complete, the device will automatically restart outside of active hours. However, to ensure no interruptions in notifications, we recommend configuring the following.

Turn off auto-restart updates during active hours GP Name: Specify the expiration date for automatic updates and restarts

Policy

Description

When to set it and why

GP Name:
Update Notification Display Options

GP Setting Name:
Close Notification
CSP Name:
UpdateNotificationLevel

This policy allows you to define the Windows update notifications that users see. This includes the ability to turn off all notifications, including restart warnings.

This strategy is recommended for devices with no active end users, where notifications can be disruptive and useless (such as kiosks and billboards).

GP Name:
Configure Automatic Updates

GP Settings Name:
Planned Installation Time: Every day at
Schedule installation time (3) Limit the device to be installed at the specified time until the deadline is reached.
If no policy is configured, the device will follow the default behavior (automatic installation and restart). If no date and time is specified, it defaults to 3 AM every day.

This strategy can be used when the usage or visibility of the kiosk or billboard is low during specific periods. That said, you can achieve similar results by configuring activity times (see next line).

GP Name:

GP Setting Name : Active Hours: Start, End
CSP Name:

ActiveHoursStart, ActiveHoursEnd
This policy enables you to specify a time when the device should not restart.
This overrides the default smart activity time calculated on the device based on usage.
You can configure active times to windows when the device is most likely to be in use or visible. This will ensure that restarts occur outside of that window which may cause less disruption.

GP Setting Name:For quality updates: Deadline (days), Grace Period (days)
For feature updates: Deadline (days), Grace Period (days)

CSP Name: For quality Updates: ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod

For feature updates: ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineGracePeriodForFeatureUpdates
This policy allows you to specify the number of days before forcing an update to be installed on a device during active hours when the user may be present.
This policy is always recommended for commercial or educational environments that have compliance needs or are concerned with keeping devices secure.

Note: From our perspective, safety is the most important, and deadlines are a great way to ensure safety.

Factory machines, roller coasters and the like

There are some devices that we often don’t even think need updating unless we are the ones managing them. Machinery on factory floors, roller coasters at amusement parks, and other critical infrastructure may all need updating. Given the critical nature of these devices, it is critical that they remain safe, remain functional, and not be interrupted in the middle of a mission. Usually these are some of the devices in the last wave, when the update rolls out after everything else has been verified.

This situation may require:

• End users initiate updates or updates at a specific time.
• Never automatically restarts.

Note: This is one of the only use cases where adhering to deadlines is not recommended, as automatic updates can never be accepted in this case.

Policy	Description	When to set it and why
GP Name: Configuring Automatic Updates GP Setting Name: Planned Installation Time: X time every day or Notify Download/Notify Installation CSP Name: AllowAutoUpdate = 3, ScheduledInstallTime or Allow AutoUpdate = 0	This policy enables you to manage automatic update behavior. Schedule installation time (3) Limit the device to be installed at the specified time until the deadline is reached. Notification Download (0) Will require the end user to take action (via notifications or settings page) to download the update.	It is recommended to use the scheduled installation strategy during specific periods of time when the device is not in use. Notified downloads or notified installations are only recommended if there are negative consequences from any unintended updates not triggered by the end user. Note: If you need full control, you can also disable automatic updates by disabling this policy and end users will have to manually initiate scans, downloads, installations, and reboots. This is only recommended in specific situations where high-touch management of updates is required. This puts the device at high risk of becoming insecure and missing updates.

Microsoft Teams Rooms Devices

Microsoft Teams Rooms are actively managed by Microsoft "out of the box." This enables you to take a hands-off approach that requires no policies from Microsoft. Teams Rooms successfully stays up to date with verified updates. By default, only updates that Microsoft has verified will be delivered to the device and installed automatically. We recommend not configuring any policies on Microsoft Teams Rooms devices, especially any product policies, as they may be related to Microsoft Teams Rooms management that is already in place. These conflicts lead to a degraded experience. Learn more about update management for Microsoft Teams Rooms.

The above is the detailed content of Microsoft shares helpful Group Policy tutorials to get the most out of Windows Updates. For more information, please follow other related articles on the PHP Chinese website!