The Windows Club

TheWindowsClub covers authentic Windows 11, Windows 10 tips, tutorials, how-to's, features, freeware. Created by Anand Khanse, MVP.

Recommended Windows Update policies Admins should be using

Download Windows Speedup Tool to fix errors and make PC run faster

Windows Update can be managed through policies, and it applies to almost all devices, including single-user, multi-user, education, factory machines, and even Microsoft Teams Rooms devices. Microsoft IT Pro Block has shared a set of Windows Update Policies that one can use on their computer or any other system they manage.

According to the Microsoft team, Windows already delivers the best experience with default settings, ensuring the devices remain productive and secure. The process includes scanning for updates, downloading, and installing them, followed by a restart. It works for most cases but can be further customized using the Group Policies.

Windows Update policies Admins should use

Recommended Windows Update policies Admins should be using

Before we start, all the group policies are located at Computer Configuration > Adminstrative Templates > Windows Components > Windows Updates > Manage end user experience. Now let’s look at the suggestions offered:

  1. Managing single-user devices
  2. Multi-user devices
  3. Education devices
  4. Kiosks and billboards
  5. Factory machines, rollercoasters, and similar things

You will need an admin account to configure these.

1. Managing single-user devices

Policy Name: Specify deadlines for automatic updates and restarts

  • Settings Name:
    • For quality updates: Deadline (days), Grace period (days)
    • For feature updates: Deadline (days), Grace period (days)
  • Description: This policy allows you to specify the number of days before an update is forced to install on the device during active hours, when the user may be present.
  • Recommended: For commercial or education environments where there is a compliance need or pertinent that devices stay secure.

2. Multi-user devices

Policy Name: Configure Automatic Updates

  • Setting name: Schedule install time: Daily at X time
  • Description: Schedule install time (3) restricts the device from installing at that specified time until the deadline is reached.
  • Recommended: If there is a regular specific window when the multi-user device will not be in use.

Policy Name: Remove access to use all Windows Update features

  • Setting name: Not Applicable
  • Description: Remove the end user’s ability to scan, download, or install from the Windows Update settings page.
  • Recommended: Only if you have end-users who are configuring update settings and causing update behaviors that are disrupting other users who share the device.

Policy Name: Turn off auto-restart for updates during active hours

  • Setting name: Active hours: Start, End
  • Description: Enables you to specify the hours during which a device should not restart.
  • Recommended: Leverage this policy if you feel it necessary and if there is a set period of time during which the device is allowed to be used or during which reboots are unacceptable

Policy Name: Specify deadlines for automatic updates and restarts

  • Setting name:
    • For quality updates: Deadline (days),  Grace Period (days)
    • For feature updates: Deadline (days),  Grace Period (days)
  • Description: It allows you to specify the number of days before an update is forced to install on the device during active hours, when the user may be present.
  • Recommended: For commercial or education environments where there is a compliance need or where it is pertinent that devices stay secure.

Read: How to view Configured Windows Update Policies applied to your computer.

3. Education devices

Policy Name: Display options for update notifications

  • Setting name: Turn off notifications. Check the box for “Apply only during active hours.”
  • Description: It allows you to define what Windows Update notifications users see, including the ability to turn off all notifications, including restart warnings
  • Recommended: Available to devices in the Windows Insider Program for Business leveraging the Dev or Beta channels.

Policy Name: Specify deadlines for automatic updates and restarts

  • Setting name:
    • For quality updates: Deadline (days),  Grace Period (days)
    • For feature updates: Deadline (days),  Grace Period (days)
  • Description: It allows you to specify the number of days before an update is forced to install on the device during active hours, when the user may be present.
  • Recommended for commercial or education environments where there is a compliance need or where it is pertinent that devices stay secure.

Policy Name: Turn off auto-restart for updates during active hours

  • Setting name: Active hours: Start, End
  • Description: It enables you to specify the hours during which a device should not restart.
  • Recommended for commercial or education environments where there is a compliance need or where it is pertinent that devices stay secure.

4. Kiosks and billboards

Policy Name: Display options for update notifications

  • Setting name: Turn off notifications
  • Description: This allows you to define what Windows Update notifications users see.
  • Recommended for devices that do not have active end-users, where notifications can be disruptive and serve no purpose (such as kiosks and billboards).

Policy Name: Configure Automatic Updates

  • Setting name: Schedule install time: Daily at X time
  • Description: Manage automatic update behavior.
  • Recommended: Available for use when there is a specific period of low usage or visibility of the kiosk or billboard.

Policy Name: Specify deadlines for automatic updates and restarts

  • Setting name:
    • For quality updates: Deadline (days),  Grace Period (days)
    • For feature updates: Deadline (days),  Grace Period (days)
  • Description: Specify the number of days before an update is forced to install on the device during active hours, when the user may be present.
  • Recommended for commercial or education environments where there is a compliance need or where it is pertinent that devices stay secure.

5. Factory machines, rollercoasters, and similar things

Policy Name: Configure Automatic Updates

  • Setting name: Schedule install time: Daily at X time OR Notify to download / Notify to Install
  • Description: Manage automatic update behavior.
  • Recommended for use when there is a specific period when the device is not in use.

All Windows Updates are configured differently depending on the devices and how and who uses them. Some users don’t want to get interrupted during work hours while some of them should be updated regularly to ensure security. So depending on that, follow the recommended suggestions and check if it fits.

For more details, follow the official post here on microsoft.com.

Should I turn off Windows updates?

No, while you can delay if you have issues with existing software, it is not a good idea to completely disable Windows updates. Windows Updates ensure the OS is secure, which ensures your data and information are safe.

Where are Windows Update settings in group policy?

You can find them at Computer Configuration > Policies > Administrative Templates > Windows components > Windows Update and Computer Configuration >Adminstrative Templates > Windows Components > Windows Updates > Manage end user experience.

Also read: Group Policies you should not configure for Windows.

AnandK@TWC

Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP (2006-16) & a Windows Insider MVP (2016-2022). Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.