Over the years, dozens of group policies for Windows Update have accumulated, many of which no longer work or have been deprecated by Microsoft. Due to a lack of documentation, many admins haven't been aware they are using outdated settings. The company has now clarified the situation in a blog post.

The growth of group policies for Windows Update is primarily due to the fact that Microsoft has changed Windows' restart behavior after update several times and has introduced new settings accordingly.

In addition, the settings for Windows Update for Business (WUfB) have been changed several times. Most recently, Microsoft modified the calculation of the period after which an update is installed and the PC is rebooted.

New structure in the GPO editor

Microsoft cannot simply remove outdated settings from the administrative templates because it would not be possible to fully edit existing GPOs that already use these settings.

Therefore, in the ADMX for Windows 11, the company decided to sort the settings into four folders for better clarity. One of them is called Legacy Policies, and houses the options that are outdated.

The templates for Windows 11 store obsolete settings in a separate folder

The templates for Windows 11 store obsolete settings in a separate folder

In contrast, the administrative templates for Windows 10 21H2 are not only incompatible with those of Windows 11, they also come without this new grouping of settings. There, the admin still faces a motley mix of current and outdated settings in a long list.

Settings no longer supported

A blog post on Microsoft's TechCommunity now provides information about which settings should be avoided. It's pretty easy to skip the following eight options because they are no longer implemented starting with Windows 10. Many admins may have wondered why these settings no longer have an effect after migrating to Windows 10.

  • Do not display "Install Updates and Shut Down" option in Shut Down Windows dialog box
  • Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
  • Delay Restart for scheduled installations
  • Turn on Software Notifications
  • Allow Automatic Updates immediate installation
  • Re-prompt for restart with scheduled installations
  • Reschedule Automatic Updates scheduled installations
  • Turn on recommended updates via Automatic Updates

Modification for Dual Scan

Another setting that was still present in Windows 10 but was removed in version 11 controls Dual Scan:

  • Do not allow update deferral policies to cause scans against Windows Update

For clarification, Dual Scan is always switched on when clients are assigned to a WSUS server and, at the same time, quality, or feature updates are deferred via WUfB.

The computers then no longer receive OS updates via WSUS but via Windows Update. With the above setting, this can be avoided, and WSUS can also be kept as the source for OS updates.

Windows 10 21H2 and Windows 11 support different sources for each update type

Windows 10 21H2 and Windows 11 support different sources for each update type

This option is now replaced by the setting Specify source service for specific classes of Windows Updates in Windows 10 21H2 and Windows 11. It can be used to assign either WSUS or Windows Update as the source for each update type.

Restart when user is logged in

Another setting that protects users from a rebooting PC at inappropriate times is still on board, but according to Microsoft, it should no longer be used:

  • No auto-restart with logged on users for scheduled automatic updates installations

Moreover, according to the blog post mentioned above, this option does not behave as described.

Microsoft recommends default behavior

The manufacturer's current recommendation is not limited to merely deprecating outdated settings. Rather, it recommends that companies don't change the behavior of Windows Update and obtain updates according to the same pattern as end users. Microsoft therefore prefers Windows Update over WSUS, and the restart should simply take place outside active hours.

Subscribe to 4sysops newsletter!

If companies still want to customize the installation of patches, they should limit themselves to settings for deferring updates (WUfB) and rescheduling the reboot of computers.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account