Latest Microsoft Windows security update options explained

New features might require you to change current update policies, especially if you're supporting more remote workers.

software update
GOCMEN / Getty Images

The need to manage patching on home machines that have no Group Policy, Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) control means that you may be looking for alternatives. Employees' personal machines might run Windows 10 Home version, which has limited ability to control updates. With corporate-owned machines you have more options.

Recently, Microsoft released the Update Baseline for Windows 10 that includes several settings to control Windows update. The recommended baselines control:

  • Configuring deadlines
  • Restart behavior
  • Accounting for low activity devices
  • Delivery optimization
  • Power policies

The group policies that control Windows Update on Windows 10 Professional, Enterprise and Educational versions are collectively called Windows Update for Business. You can set them via group policy or registry keys. They are on the roadmap to be converted and controlled by Intune as well.

Time to review Group Policy update settings

Included on the site is a PDF entitled “Optimizing Windows 10 Update Adoption” that includes recommendations and reminds us that as Windows 10 has been updated with features, the settings and their impact have changed. My recommendation is to annually review your Group Policy settings for controlling and managing updates.

For example, beginning with Windows 10, version 1903 and with the August 2019 security update for Windows 10, version 1709 and above, a new policy was introduced: “Specify deadlines for automatic updates and restarts, replacing previous deadline-like policies”. As noted in the document:

Revisions prior to August 2019 started enforcing deadlines once the device reached a ‘restart pending’ state for an update; whereas this new policy starts the countdown for the update installation deadline from when the update is published plus any deferral. In addition, this policy includes a configurable grace period and the option to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic restarts for maximum update velocity).

In Windows 10 1903 Group Policy settings, if you use “Specify deadlines for automatic updates and restarts,” you must disable the previous Auto Restart Deadline policies as they may conflict. If you want to provide the least disruptive settings for rebooting, Windows has heuristics based on user interactions that dynamically identify the least disruptive time for automatic restart. To make sure users don’t have reboots during inopportune times, set “ConfigureDeadlineNoAutoReboot” to “Disabled.”

Computers need to be connected to the internet for at least six hours (two hours of continuous online activity) to properly connect and download updates. Since version 1903, Windows 10 has a feature called “Intelligent Active Hours.” This setting learns the system’s active hours based on the user interaction. If you have enabled “Configure Active Hours in Group,” you need to set these options to “Disabled” to take advantage of Intelligent Active Hours.

The setting “Allow auto Windows Update to download over metered networks” is used in multiple ways. It allows users to obtain updates over a cellular network no matter what. In the case of users that want to control updates more, this setting combined with the registry key setting allows a wired connection to be considered as a metered connection, so you can “trick” the system into not installing updates.

If you are running versions prior to 1903, enable the following settings:

  • Configure active hours — a value of 10 is recommended
  • Schedule update installation — you can use either “Specify automatic maintenance time” or “Schedule the install time.” Set “Specify automatic maintenance time” to an optimal time for your organization to install updates and reboot machines.

Keeping desktop machines turned on ensures that computers can be updated and maintained. In my office I have the power policies set to turn off monitors but not computers. Devices in sleep mode (S1 or S0 Low Power Idle/Modern Standby) can be woken to take an update.

Recommended Group Policy settings

Some of the policies that I recommend to set include:

  • Defer feature update period in days. While Windows features are no longer pushed down to machines without approval from the end user, an administrator might not want them offered during the early days of release. Setting a feature update deferral delays the offering and allows for manual approval or deployment of the update using scripting, WSUS, SCCM or other patch management process. Alternatively, you can use the new Group Policy setting available since 1803, “Select the target feature update version,” which offers only the specific feature release version to be requested in subsequent scans.
  • Defer quality updates period in days. Set this according to the needs of your firm and the risk that your users have when it comes to patching as compared to the side effects from updating. For some workstations, you can install updates when they are released. For others, you may need to take a more precautionary setting and defer updates for a week or more. Quality updates, better known as security updates, are released on the second Tuesday of each month. Typically, by the end of the week any side effects from the update have been identified and are starting to be communicated.
  • Do not allow update deferral policies to cause scans against Windows Update. If you use WSUS, enable “Do not allow update deferral policies to cause scans against Windows Update.” If you do not use that setting, the workstation will scan both against Windows Update and WSUS. If you wonder why your workstations are not respecting your WSUS settings, this is the reason.

As you roll out and deploy feature releases, do two things: Deploy the latest ADMX file to your network to best control Windows update settings, and review your group policies that control updating. Each new feature release brings new group policies and it’s key to keep an eye on the changes.

Version 1703 brought the following Group Policy settings:

  • Specify active hours range for auto-restarts
  • Configure auto-restart required notification for updates
  • Configure auto-restart reminder notifications for updates
  • Turn off auto-restart notifications for update installations
  • Configure auto-restart warning notifications schedule for updates
  • Specify engaged restart transition and notification schedule for updates
  • Update power policy for cart restarts

Version 1709 brought two Group Policy settings: Allow updates to be downloaded automatically over metered connections, and do not allow update deferral policies to cause scans against Windows Update.

Version 1809 brought two Group Policy settings: Remove access to "Pause updates" feature, and display options for update notifications.

Version 1903 brought this Group Policy setting: Specify deadlines for automatic updates and restarts.

Version 2004 brought this Group Policy setting: Select the target Feature Update version to be controllable by Group Policy on the domain controller.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)