Windows update
This article describes GoTo Resolve MDM's Windows update configuration profile that can be used to deploy update policies and general update settings to your managed Windows 10 or Windows 11 devices. This means that you can configure when and how Windows Updates are installed on devices and how the devices are restarted.
Requirements
- Windows 10 Pro or Windows 11 Pro version
How to deploy windows update settings to a device?
Create a new configuration profile and define the update policies that are sent to the device. Start by navigating to and start the Create configuration profile wizard from the Actions menu on the right. See Creating a configuration profile for more details.
Windows update policy settings
The available Windows update configuration profile settings are described below.
General
Automatic updates
Defines the type of automatic updates. Possible values are:
- Notify the user before downloading
- Install automatically and notify the user when restarting
- Install and restart automatically (default)
- Install automatically and restart at a specific time
- Install automatically and restart without end-user control
- Disabled
Active hours start
Added in Windows 10, version 1607. Defines the start of active hours. Update reboots are not scheduled during active hours. Supported values are 0-23 where 0 is 12 AM. The default value is 8 (8 AM).
Active hours end
End of active hours. Update reboots are not scheduled during active hours. Supported values are 0-23 where 0 is 12 AM. The default value is 17 (5 PM).
Scan app updates from Microsoft Update
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
Advanced options
Product version
Available after update KB500511 and works together with the target release version. Allows the IT admin to set the product version to update to a device. For example, when you set Windows 11 to the product field, devices will upgrade to Windows 11. The supported values are:
- Not selected
- Windows 10
- Windows 11
Target release version
Available in Windows 10, version 1803, and later. The field relates to product version value. Enables IT administrators to specify which version they would like their device to move to or stay on until they reach the end of service or reconfigure the policy.
Update branch
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives its updates from. The supported values are:
- Fast ring - Windows Insider build (added in Windows 10, version 1709)
- Slow ring - Windows Insider build (added in Windows 10, version 1709)
- Release - Windows Insider build (added in Windows 10, version 1709)
- Semi-annual targeted - Device gets all applicable feature updates from Semi-annual Channel (Targeted). This is the default value
- Semi-annual - Device gets feature updates from Semi-annual Channel
Preview builds
Added in Windows 10, version 1709. Specifies if preview builds are considered when updating.
Update check frequency (1-22 hours)
Added in Windows 10, version 1703. Defines how often updates are checked. Supported values are 1-22 hours. The default value is 22 hours.
Disable dual scan
Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows updates. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. This is the same as the Group Policy in Windows Components > Window Update > Do not allow update deferral policies to cause scans against Windows Update.
Exclude Windows Update drivers during an update
Added in Windows 10, version 1607. Specifies whether to exclude Windows Update drivers during updates.
Pause feature updates
Added in Windows 10, version 1607. Pauses feature updates for 60 days or when disabled again.
Defer feature updates until (0-365 days)
Added in Windows 10, version 1607. Defines how many days to defer feature updates. Supported values are 0-365 days. The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
Pause quality updates
Added in Windows 10, version 1607. Pauses quality updates for 35 days or when disabled again.
Defer quality updates until (0-30 days)
Added in Windows 10, version 1607. Defines how many days to defer quality updates. Supported values are 0-30 days.
Schedule
An auto-restart imminent warning notification schedule
Added in Windows 10, version 1703. Specifies period for auto-restart imminent warning notifications. The default value is 15 minutes. Supported values are 15, 30, or 60 minutes.
An auto-restart warning notification schedule
Added in Windows 10, version 1703. Specifies period for auto-restart warning notifications. Supported values are 2, 4, 8, 12, or 24 hours. The default value is 4 hours.
Scheduled update install day
Specifies installation day for scheduled updates. Note! This field is configurable only if Install automatically and restart on specific time has been selected as automatic update type in general settings.
Install updates every week
Added in Windows 10, version 1709. Specifies if scheduled updates are installed every week of the month. Please note that this field is configurable only if Install automatically and restart on specific time has been selected as automatic update type in general settings.
Install updates on the first week
Added in Windows 10, version 1709. Specifies if scheduled updates are installed in the first week of the month. Please note that this field is configurable only if Install automatically and restart on specific time has been selected as automatic update type in general settings.
Install updates on the second week
Added in Windows 10, version 1709. Specifies if scheduled updates are installed in the second week of the month. Please note that this field is configurable only if Install automatically and restart on specific time has been selected as automatic update type in general settings.
Install updates on the third week
Added in Windows 10, version 1709. Specifies if scheduled updates are installed in the third week of the month. Please note that this field is configurable only if Install automatically and restart on specific time has been selected as automatic update type in general settings.
Install updates on the fourth week
Added in Windows 10, version 1709. Specifies if scheduled updates are installed in the fourth week of the month. Please note that this field is configurable only if Install automatically and restart on specific time has been selected as automatic update type in general settings.
Scheduled install time (0-23)
Specifies install time for scheduled updates. Supported values are 0-23 where 0 = 12 AM and 23 = 11 PM. The default value is 3. Please note that this field is configurable only if Install automatically and restart on specific time has been selected as automatic update type in general settings.
Restart
Automatic restart deadline (2-30 days)
Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory. Supported values are 2-30 days. The default value is 7 days.
An automatic restart notification schedule
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. Supported values are 15 minutes, 30 minutes, 1 hour, 2 hours, and 4 hours. The default value is 15 minutes.
Automatic restart notification dismissal type
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. Supported values are user dismissal and auto dismissal.
Turn off the auto-restart notification
Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
Skip restart checks (EDU)
Added in Windows 10, version 1703. Specifies whether all restart checks are skipped to ensure that reboot will happen at the scheduled install time for devices in a cart (educational).
Automatic restart on pending restart (engaged)
Specifies if automatic scheduling and executing a pending restart is configured.
Engaged restart deadline (2-30 days)
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or the deadline is set to 0, the restart will not be automatically executed and will remain an Engaged restart (pending user scheduling). Please note that this field is configurable only if an Automatic restart on pending restart (engaged) is checked.
Engaged restart snooze schedule (1-3 days)
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. Supported values are 1-3 days. The default value is 3 days.
Engaged restart transition schedule (2-30 days)
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. Supported values are 2-30 days. The default value is 7 days.
Metered connections
Allow automatic downloads over metered network
Added in Windows 10, version 1709. Defines if automatic updates can be downloaded over the metered network (off by default).
Ignore the mobile operator (MO) app download limit
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
Ignore mobile operator (MO) update download limit
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
Windows Server Update Service (WSUS)
Enable WSUS
Specifies if WSUS is enabled. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise deployments that need to update devices that cannot connect to the Internet.
Update service URL
Specifies Windows Server Update Service (WSUS) location. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs
that need to update devices that cannot connect to the Internet. Please note that this field is configurable only if Enable WSUS is checked.
Alternative update service URL
Specifies alternate Windows Server Update Service (WSUS) location. Note! This field is configurable only if Enable WSUS is checked.
Allow update service
Specifies if public Windows Update services are allowed when using WSUS and intranet update services. Please note that this field is configurable only if Enable WSUS is checked.
Allow non-Microsoft signed update
Specifies if the device accepts updates from WSUS that are not signed by Microsoft. The update must be signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. Note! This field is configurable only if Enable WSUS is checked.
Fill empty content URLs
Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata Note! This field is configurable only if Enable WSUS is checked.
After you have created your configuration profile you can deploy it to the devices. See Deploying a configuration profile article for more details. Note that you can only deploy one Windows Update configuration profile to each device.
After the deployment, you can check the values are active on the device from the registry:
HKLMSoftwareMicrosoftPolicyManagerCurrentDeviceUpdate