How to take control of Windows 10 security update settings

It's often wise to defer Windows 10 or Server 2019 security updates to let the glitches shake out. Here are the settings needed to make that happen.

Windows 10 update settings are varied and at times confusing. The following settings allow me to control exactly when security (and other) updates will automatically update on my systems. You can use these Windows Update for Business settings either on a standalone workstation, in group policy, via registry entries, or in conjunction with Windows Software Update Services (WSUS). Note these settings are current as of 1803 on Windows 10.

You need to set the Windows Update for Business settings to defer quality (security) updates for a set number of days. Given the side effects of updates, I recommend waiting at least seven days if not more before installing quality updates. A deferral of 11 days pushes the update window past the weekend and on to the second week when most of any side effects are identified.

The second deferral I recommend is the installation of Feature Update to a time and date that you feel is right for your environment. I also recommend scripting the install of the feature updates as a better way to control the install of Windows 10 feature releases. When the feature release is deemed ready for business, the release is declared semi-annual.

If you take no action to control updates, the feature releases are set to semi-annual (targeted) by default and you will receive the feature releases when Microsoft deems your computer ready for the update. Feature updates do not include security updates and thus it’s quite safe to push off feature updates to ensure that your vendors support the release. These deferrals can be set on Windows 10 Pro, Enterprise and Educational versions.

Tip: If you manage group policy in a domain setting, be sure you download the Windows 10/Server 2016 templates to your domain by copying the ADMX files from any recent Windows 10 workstation to the server group policy settings to the SYSVOL central store:
DeliveryOptimization.admx from C:\Program Files (x86)\Microsoft Group Policy\Windows 10\PolicyDefinitions
DeliveryOptimization.adml from C:\Program Files (x86)\Microsoft Group Policy\Windows 10\PolicyDefinitions\en-US

You can make the following settings under “Computer Configuration,” “Administrative Templates,” “Windows Components, Windows Update”.

Under “Windows Update for Business,” make the following settings:

Set “Select when Preview Builds and Feature Updates are received” to “Semi-Annual Channel” and then set the deferral of feature updates to 360 days. This pushes off the installation of any feature release to nearly a year after a feature release is declared Semi-Annual. I recommend setting it this far in the future and then actually install the feature release when you deem it ready for your environment.

bradley wu 1 Microsoft

Setting deferral of feature updates

Set “Choose Select when Quality updates are received” to at least seven days, and consider setting it for 11 days. Again, choosing 11 days pushes off the install to two weekends after the security updates are released and gives more time for any issues to be resolved.

bradley wu 2 Microsoft

Select when quality updates are received

Here’s how to handle other settings under “Computer Configuration,” “Administrative Templates,” “Windows Components,” “Windows Update”:

Do not use or set the policy for “No auto-restart with logged-on users for scheduled automatic update installations”. In my experience this policy does not properly detect a logged-on user. It often triggers a reboot of the system when a user walks away from the computer and does not respond to a notice on the screen. I do not recommend you use this setting in conjunction with Windows 10 at all. When I have used it in conjunction with WSUS settings, I end up with machines that reboot at awkward times and do not reboot when I want them to reboot.

If you use WSUS, set and use “Do not allow update deferral policies to cause scans against Windows Update”. If you set any feature deferral policy without this setting in place, it will bypass your WSUS settings and go directly to Microsoft updates for any updates. The end result will be that your WSUS settings for not approving Windows 10 updates and feature updates will be ignored and updates will be applied.

bradley wu 3 Microsoft

Read the notes for "Turn off auto-restart for updates during active hours"

Next, set the active hours. Enable “Turn off auto-restart for updates during active hours”. The maximum number of hours to set is 18. This ensures that restarts will be outside of the active hour of the machine. The notes of the policy states that if “No-auto restart with logged on users for scheduled automatic updates installation” is enabled, then the active hours setting will be ignored.

bradley wu 4 Microsoft

Set the active hours

Finally, the “Engaged restart” settings will allow users to get notifications and prompts regarding the pending updates.  As noted, if any of the legacy Windows update settings are selected such as “No auto-restart with logged on users for scheduled automatic updates installations,” Windows will always automatically restart at the scheduled time. “Specify deadline before auto-restart for update installation” will also nullify this engaged restart settings. Make sure you do not set any of those settings with Windows 10.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)