- LAPS in Windows 11: Password encryption and DSRM account management - Wed, Jun 29 2022
- Install subsystem for Linux 2 (WSL2) on Windows Server - Wed, Jun 22 2022
- Next version of Exchange to arrive in 2025; meanwhile, new features for Exchange 2019 - Fri, Jun 10 2022
The growth of group policies for Windows Update is primarily due to the fact that Microsoft has changed Windows' restart behavior after update several times and has introduced new settings accordingly.
In addition, the settings for Windows Update for Business (WUfB) have been changed several times. Most recently, Microsoft modified the calculation of the period after which an update is installed and the PC is rebooted.
New structure in the GPO editor ^
Microsoft cannot simply remove outdated settings from the administrative templates because it would not be possible to fully edit existing GPOs that already use these settings.
Therefore, in the ADMX for Windows 11, the company decided to sort the settings into four folders for better clarity. One of them is called Legacy Policies, and houses the options that are outdated.
In contrast, the administrative templates for Windows 10 21H2 are not only incompatible with those of Windows 11, they also come without this new grouping of settings. There, the admin still faces a motley mix of current and outdated settings in a long list.
Settings no longer supported ^
A blog post on Microsoft's TechCommunity now provides information about which settings should be avoided. It's pretty easy to skip the following eight options because they are no longer implemented starting with Windows 10. Many admins may have wondered why these settings no longer have an effect after migrating to Windows 10.
- Do not display "Install Updates and Shut Down" option in Shut Down Windows dialog box
- Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
- Delay Restart for scheduled installations
- Turn on Software Notifications
- Allow Automatic Updates immediate installation
- Re-prompt for restart with scheduled installations
- Reschedule Automatic Updates scheduled installations
- Turn on recommended updates via Automatic Updates
Modification for Dual Scan ^
Another setting that was still present in Windows 10 but was removed in version 11 controls Dual Scan:
- Do not allow update deferral policies to cause scans against Windows Update
For clarification, Dual Scan is always switched on when clients are assigned to a WSUS server and, at the same time, quality, or feature updates are deferred via WUfB.
The computers then no longer receive OS updates via WSUS but via Windows Update. With the above setting, this can be avoided, and WSUS can also be kept as the source for OS updates.
This option is now replaced by the setting Specify source service for specific classes of Windows Updates in Windows 10 21H2 and Windows 11. It can be used to assign either WSUS or Windows Update as the source for each update type.
Restart when user is logged in ^
Another setting that protects users from a rebooting PC at inappropriate times is still on board, but according to Microsoft, it should no longer be used:
- No auto-restart with logged on users for scheduled automatic updates installations
Moreover, according to the blog post mentioned above, this option does not behave as described.
Microsoft recommends default behavior ^
The manufacturer's current recommendation is not limited to merely deprecating outdated settings. Rather, it recommends that companies don't change the behavior of Windows Update and obtain updates according to the same pattern as end users. Microsoft therefore prefers Windows Update over WSUS, and the restart should simply take place outside active hours.
Subscribe to 4sysops newsletter!
If companies still want to customize the installation of patches, they should limit themselves to settings for deferring updates (WUfB) and rescheduling the reboot of computers.