Update baseline: Microsoft's recommended GPO settings for Windows updates

Microsoft is providing a new toolkit that configures all recommended group policies for installing Windows 10 updates. In addition to Windows Update, the settings also relate to delivery optimization and energy management. Numerous settings have been deactivated.

A few weeks ago, Microsoft published a white paper that recommended the configuration of certain settings in order to get updates for Windows 10 onto computers as quickly as possible. The update baseline is intended to make it easier for administrators to implement these specifications.

Incomplete script for the GPO import ^

Following the example of the security baseline, the update baseline includes the backup of a GPO for import into the Group Policy Management Console (GPMC), documentation in PDF format, an Excel spreadsheet with an overview of the configured settings, and an HTML report generated with gpresult.

Content of the update baseline

Content of the update baseline

To import the GPO, the toolkit includes a PowerShell script called Baseline-ADImport.ps1. If you start it as described in the PDF document, it terminates with an error message stating that it cannot find the MapGuidsToGpoNames.ps1 file.

It quickly becomes apparent that this file is not included in the update baseline toolkit. Rather, it is part of the security baseline, so you have to download it additionally and copy the Tools folder from there into the Scripts folder of the update baseline.

The script in the update baseline requires the Tools directory from the security baseline

The script in the update baseline requires the Tools directory from the security baseline

Even so, the execution of the script might still fail due to the execution policy. If it does, you can set the policy temporarily to Unrestricted.

After the successful execution of the script, a new GPO called MSFT Windows Update can be found in the GPMC under Group Policy Objects. It is not linked to any OU or domain and is therefore not applied to any computer.

The import script creates an unlinked GPO called MSFT Windows Update

The import script creates an unlinked GPO called MSFT Windows Update

If this incomplete PowerShell script is too cumbersome to deal with, you can create an empty GPO in the GPMC and start the wizard to import settings from its context menu. For the directory, specify the GPOs folder of the update baseline.

As an alternative to the PowerShell script, you can use the import settings of the GPMC

As an alternative to the PowerShell script, you can use the import settings of the GPMC

Customizing the default settings ^

Admins can first adapt the GPO to the needs of the company before they link it. For example, the active hours setting is defined with a fixed value of 18 hours. Starting with Windows 10 1903, this option can be reset to Not Configured because the system then automatically determines the active hours based on the user's working habits.

The aim of the baseline is to control the installation of updates and the reboot of the computers as soon as the updates are available. While it does not configure a setting for deferring updates, such as those found in Windows Update for Business, the white paper recommends a value of zero days for normal updates (not for feature updates).

Power management and delivery optimization ^

If you look through all the settings of the GPO, you will see that they not only configure the update service itself, but also power management. For example, in the case of notebooks, they should ensure that notebooks go into standby mode after closing the lid and are not switched off to enable installing updates.

The update baseline also configures a whole range of settings for delivery optimization, which is a component of Windows Update for Business (WUfB). The latter is now preferred by Microsoft for OS updates over WSUS.

No WSUS settings ^

Companies that want to continue using WSUS will not find any related recommendations in the baseline, but the power management or restart behavior policies should still be useful to them.

The latter only relies on the new setting Specify deadlines for automatic updates and restarts (see: Configure updates and reboot options for Windows 10 using group policies).

The baseline controls the restart of the PCs via a single setting; many old options have been deactivated

The baseline controls the restart of the PCs via a single setting; many old options have been deactivated

Since there are a lot of options for update management that have no effect in Windows 10 or are replaced by newer settings, the baseline deactivates many of these outdated options. In this way, possible conflicts can be avoided.

Availability ^

The update baseline can be downloaded from Microsoft's website. There, you can also include the previously mentioned white paper Optimizing Windows 10 Update Adoption in the same download.

1+
avatar

Poll: Does your organization plan to introduce Artifical Intelligence?

Read 4sysops without ads and for free by becoming a member!

2 Comments
  1. Dean Gross 5 months ago

    Does this have any relationship to the Security Baselines that are used by Intune/Endpoint Manager?

    0

  2. Wolfgang Sommergut 5 months ago

    Both are based on the same idea to provide recommended group policy settings, one for Windows Update and the other for security settings. But otherwise they are not related, execpt that they share a common script and have a similar name.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account