- Recommended security settings and new group policies for Microsoft Edge (from 107 on) - Fri, Jan 27 2023
- Save and access the BitLocker recovery key in the Microsoft account - Tue, Jan 24 2023
- Reopen apps after Windows startup - Thu, Jan 19 2023
A few weeks ago, Microsoft published a white paper that recommended the configuration of certain settings in order to get updates for Windows 10 onto computers as quickly as possible. The update baseline is intended to make it easier for administrators to implement these specifications.
Incomplete script for the GPO import
Following the example of the security baseline, the update baseline includes the backup of a GPO for import into the Group Policy Management Console (GPMC), documentation in PDF format, an Excel spreadsheet with an overview of the configured settings, and an HTML report generated with gpresult.
To import the GPO, the toolkit includes a PowerShell script called Baseline-ADImport.ps1. If you start it as described in the PDF document, it terminates with an error message stating that it cannot find the MapGuidsToGpoNames.ps1 file.
It quickly becomes apparent that this file is not included in the update baseline toolkit. Rather, it is part of the security baseline, so you have to download it additionally and copy the Tools folder from there into the Scripts folder of the update baseline.
Even so, the execution of the script might still fail due to the execution policy. If it does, you can set the policy temporarily to Unrestricted.
After the successful execution of the script, a new GPO called MSFT Windows Update can be found in the GPMC under Group Policy Objects. It is not linked to any OU or domain and is therefore not applied to any computer.
If this incomplete PowerShell script is too cumbersome to deal with, you can create an empty GPO in the GPMC and start the wizard to import settings from its context menu. For the directory, specify the GPOs folder of the update baseline.
Customizing the default settings
Admins can first adapt the GPO to the needs of the company before they link it. For example, the active hours setting is defined with a fixed value of 18 hours. Starting with Windows 10 1903, this option can be reset to Not Configured because the system then automatically determines the active hours based on the user's working habits.
The aim of the baseline is to control the installation of updates and the reboot of the computers as soon as the updates are available. While it does not configure a setting for deferring updates, such as those found in Windows Update for Business, the white paper recommends a value of zero days for normal updates (not for feature updates).
Power management and delivery optimization
If you look through all the settings of the GPO, you will see that they not only configure the update service itself, but also power management. For example, in the case of notebooks, they should ensure that notebooks go into standby mode after closing the lid and are not switched off to enable installing updates.
The update baseline also configures a whole range of settings for delivery optimization, which is a component of Windows Update for Business (WUfB). The latter is now preferred by Microsoft for OS updates over WSUS.
No WSUS settings
Companies that want to continue using WSUS will not find any related recommendations in the baseline, but the power management or restart behavior policies should still be useful to them.
The latter only relies on the new setting Specify deadlines for automatic updates and restarts (see: Configure updates and reboot options for Windows 10 using group policies).
Since there are a lot of options for update management that have no effect in Windows 10 or are replaced by newer settings, the baseline deactivates many of these outdated options. In this way, possible conflicts can be avoided.
Subscribe to 4sysops newsletter!
The update baseline can be downloaded from Microsoft's website. There, you can also include the previously mentioned white paper Optimizing Windows 10 Update Adoption in the same download.