Policy CSP - Update

In this article

Update CSP policies are listed below based on the group policy area:

./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates

When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates

When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/AllowNonMicrosoftSignedUpdate

Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.

Description framework properties:

Allowed values:

./Device/Vendor/MSFT/Policy/Config/Update/AutomaticMaintenanceWakeUp

This policy setting allows you to configure Automatic Maintenance wake up policy.

The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect.

• If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required.

• If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel

Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays

Defers Feature Updates for the specified number of days. Supported values are 0-365 days.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays

Defers Quality Updates for the specified number of days. Supported values are 0-30.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/DisableWUfBSafeguards

This policy setting specifies that a Windows Update for Business device should skip safeguards.

Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience. The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update.

IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the Disable safeguards for Feature Updates Group Policy.

Description framework properties:

Allowed values:

./Device/Vendor/MSFT/Policy/Config/Update/ExcludeWUDriversInQualityUpdate

Enable this policy to not include drivers with Windows quality updates.

• If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ManagePreviewBuilds

Used to manage Windows 10 Insider Preview builds. Value type is integer.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/PauseFeatureUpdates

Allows IT Admins to pause Feature Updates for up to 60 days.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/PauseFeatureUpdatesStartTime

Specifies the date and time when the IT admin wants to start pausing the Feature Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28).

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates

Allows IT Admins to pause Quality Updates.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/PauseQualityUpdatesStartTime

Specifies the date and time when the IT admin wants to start pausing the Quality Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28).

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ProductVersion

Enables IT administrators to specify the product version associated with the target feature update they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see Windows release information.

Supported value type is a string containing a Windows product. For example, "Windows 11" or "11" or "Windows 10". By using this Windows Update for Business policy to upgrade devices to a new product (for example, Windows 11) you're agreeing that when applying this operating system to a device:

1. The applicable Windows license was purchased through volume licensing, or
2. You're authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/TargetReleaseVersion

Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see Windows 10 release information.

Supported value type is a string containing Windows version number. For example, 1809, 1903, etc.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/AllowUpdateService

Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/DetectionFrequency

Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.

This policy should be enabled only when UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection

Do not enforce TLS certificate pinning for Windows Update client for detecting updates.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/FillEmptyContentUrls

Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForDriverUpdates

Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types:

• SetPolicyDrivenUpdateSourceForFeatureUpdates
• SetPolicyDrivenUpdateSourceForQualityUpdates
• SetPolicyDrivenUpdateSourceForOtherUpdates

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForFeatureUpdates

Configure this policy to specify whether to receive Windows Feature Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types:

• SetPolicyDrivenUpdateSourceForQualityUpdates
• SetPolicyDrivenUpdateSourceForDriverUpdates
• SetPolicyDrivenUpdateSourceForOtherUpdates

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForOtherUpdates

Configure this policy to specify whether to receive Other Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types:

• SetPolicyDrivenUpdateSourceForFeatureUpdates
• SetPolicyDrivenUpdateSourceForQualityUpdates
• SetPolicyDrivenUpdateSourceForDriverUpdates

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForQualityUpdates

Configure this policy to specify whether to receive Windows Quality Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types:

• SetPolicyDrivenUpdateSourceForFeatureUpdates
• SetPolicyDrivenUpdateSourceForDriverUpdates
• SetPolicyDrivenUpdateSourceForOtherUpdates

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/SetProxyBehaviorForUpdateDetection

Select the proxy behavior for Windows Update client for detecting updates

By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP-based intranet server despite the vulnerabilities it presents.

This policy setting doesn't impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS-based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl

Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.

The following list shows the supported values:

• Not configured: The device checks for updates from Microsoft Update.
• Set to a URL, such as http://abcd-srv:8530: The device checks for updates from the WSUS server at the specified URL.

Description framework properties:

Group policy mapping:

Example:

<Replace>
    <CmdID>$CmdID$</CmdID>
    <Item>
        <Meta>
            <Format>chr</Format>
            <Type>text/plain</Type>
        </Meta>
        <Target>
            <LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>
        </Target>
        <Data>http://abcd-srv:8530</Data>
    </Item>
</Replace>

./Device/Vendor/MSFT/Policy/Config/Update/UpdateServiceUrlAlternate

Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use this setting, you must set two server name values the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. Value type is string and the default value is an empty string, . If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursEnd

Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursMaxRange

Enable this policy to specify the maximum number of hours from the start time that users can set their active hours.

The max active hours range can be set between 8 and 18 hours.

• If you disable or do not configure this policy, the default max active hours range will be used.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursStart

Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate

Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Important. This option should be used only for systems under regulatory compliance, as you will not get security updates as well. If the policy is not configured, end-users get the default behavior (Auto install and restart).

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork

Enabling this policy will automatically download updates, even over metered data connections (charges may apply)

A significant number of devices primarily use cellular data and don't have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.

This policy is accessible through the Update setting in the user interface or Group Policy.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/AllowMUUpdateService

Allows the IT admin to manage whether to scan for app updates from Microsoft Update.

$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.RemoveService("7971f918-a847-4430-9279-4a52d1efe18d")

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineForFeatureUpdates

Number of days before feature updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineForQualityUpdates

Number of days before quality updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineGracePeriod

Minimum number of days from update installation until restarts occur automatically for quality updates. This policy only takes effect when Update/ConfigureDeadlineForQualityUpdates is configured. If Update/ConfigureDeadlineForQualityUpdates is configured but this policy is not, then the default value of 2 days will take effect.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineGracePeriodForFeatureUpdates

Minimum number of days from update installation until restarts occur automatically for feature updates. This policy only takes effect when Update/ConfigureDeadlineForFeatureUpdates is configured. If Update/ConfigureDeadlineForFeatureUpdates is configured but this policy is not, then the value configured by Update/ConfigureDeadlineGracePeriod will be used. If Update/ConfigureDeadlineGracePeriod is also not configured, then the default value of 7 days will take effect.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoReboot

When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates or Update/ConfigureDeadlineForFeatureUpdates is configured.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ConfigureFeatureUpdateUninstallPeriod

Enable enterprises/IT admin to configure feature update uninstall period

Description framework properties:

./Device/Vendor/MSFT/Policy/Config/Update/NoUpdateNotificationsDuringActiveHours

0 (default) - Use the default Windows Update notifications 1 - Turn off all notifications, excluding restart warnings 2 - Turn off all notifications, including restart warnings

This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed.

Important if you choose not to get update notifications and also define other Group policy so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk.

If you select "Apply only during active hours" in conjunction with Option 1 or 2, then notifications will only be disabled during active hours. You can set active hours by setting "Turn off auto-restart for updates during active hours" or allow the device to set active hours based on user behavior. To ensure that the device stays secure, a notification will still be shown if this option is selected once "Specify deadlines for automatic updates and restarts" deadline has been reached if configured, regardless of active hours.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallDay

Enables the IT admin to schedule the day of the update installation. The data type is a integer.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallEveryWeek

Enables the IT admin to schedule the update installation on the every week. Value type is integer.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallFirstWeek

Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallFourthWeek

Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallSecondWeek

Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallThirdWeek

Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallTime

the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/SetDisablePauseUXAccess

This setting allows to remove access to "Pause updates" feature.

Once enabled user access to pause updates is removed.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/SetDisableUXWUAccess

This setting allows you to remove access to scan Windows Update.

• If you enable this setting user access to Windows Update scan, download and install is removed.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/SetEDURestart

Enabling this policy for EDU devices that remain on Carts overnight will skip power checks to ensure update reboots will happen at the scheduled install time.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/UpdateNotificationLevel

0 (default) - Use the default Windows Update notifications 1 - Turn off all notifications, excluding restart warnings 2 - Turn off all notifications, including restart warnings

This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed.

Important if you choose not to get update notifications and also define other Group policy so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk.

If you select "Apply only during active hours" in conjunction with Option 1 or 2, then notifications will only be disabled during active hours. You can set active hours by setting "Turn off auto-restart for updates during active hours" or allow the device to set active hours based on user behavior. To ensure that the device stays secure, a notification will still be shown if this option is selected once "Specify deadlines for automatic updates and restarts" deadline has been reached if configured, regardless of active hours.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/AutoRestartDeadlinePeriodInDays

Specify the deadline before the PC will automatically restart to apply updates. The deadline can be set 2 to 14 days past the default restart date.

The restart may happen inside active hours.

• If you disable or do not configure this policy, the PC will restart according to the default schedule.

Enabling either of the following two policies will override the above policy:

1. No auto-restart with logged on users for scheduled automatic updates installations.
2. Always automatically restart at scheduled time.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates

Specify the deadline before the PC will automatically restart to apply updates. The deadline can be set 2 to 14 days past the default restart date.

The restart may happen inside active hours.

• If you disable or do not configure this policy, the PC will restart according to the default schedule.

Enabling either of the following two policies will override the above policy:

1. No auto-restart with logged on users for scheduled automatic updates installations.
2. Always automatically restart at scheduled time.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/AutoRestartNotificationSchedule

Allows the IT Admin to specify the period for auto-restart reminder notifications. The default value is 15 (minutes).

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/AutoRestartRequiredNotificationDismissal

Enable this policy to specify the method by which the auto-restart required notification is dismissed. When a restart is required to install updates, the auto-restart required notification is displayed. By default, the notification is automatically dismissed after 25 seconds.

The method can be set to require user action to dismiss the notification.

• If you disable or do not configure this policy, the default method will be used.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod

Allows IT Admins to specify update delays for up to four weeks. Supported values are 0-4, which refers to the number of weeks to defer updates.

• If the Specify intranet Microsoft update service location policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
• If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.

OS upgrade:

• Maximum deferral: Eight months
• Deferral increment: One month
• Update type/notes:
  • Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5

Update:

• Maximum deferral: One month

• Deferral increment: One week

• Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic:

  • Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
  • Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
  • Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
  • Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
  • Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
  • Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
  • Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
  • Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0

Other/can't defer:

• Maximum deferral: No deferral
• Deferral increment: No deferral
• Update type/notes: Any update category not enumerated above falls into this category. - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod

Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades.

• If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect.
• If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect.

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/DisableDualScan

Enable this policy to not allow update deferral policies to cause scans against Windows Update.

If this policy is disabled or not configured, then the Windows Update client may initiate automatic scans against Windows Update while update deferral policies are enabled.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartDeadline

Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending.

You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.

You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.

If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart.

• If you disable or do not configure this policy, the PC will restart following the default schedule.

Enabling any of the following policies will override the above policy:

1. No auto-restart with logged on users for scheduled automatic updates installations

2. Always automatically restart at scheduled time

3. Specify deadline before auto-restart for update installation

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartDeadlineForFeatureUpdates

Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending.

You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.

You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.

If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart.

• If you disable or do not configure this policy, the PC will restart following the default schedule.

Enabling any of the following policies will override the above policy:

1. No auto-restart with logged on users for scheduled automatic updates installations

2. Always automatically restart at scheduled time

3. Specify deadline before auto-restart for update installation

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartSnoozeSchedule

Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending.

You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.

You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.

If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart.

• If you disable or do not configure this policy, the PC will restart following the default schedule.

Enabling any of the following policies will override the above policy:

1. No auto-restart with logged on users for scheduled automatic updates installations

2. Always automatically restart at scheduled time

3. Specify deadline before auto-restart for update installation

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartSnoozeScheduleForFeatureUpdates

Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending.

You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.

You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.

If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart.

• If you disable or do not configure this policy, the PC will restart following the default schedule.

Enabling any of the following policies will override the above policy:

1. No auto-restart with logged on users for scheduled automatic updates installations

2. Always automatically restart at scheduled time

3. Specify deadline before auto-restart for update installation

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartTransitionSchedule

Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending.

You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.

You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.

If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart.

• If you disable or do not configure this policy, the PC will restart following the default schedule.

Enabling any of the following policies will override the above policy:

1. No auto-restart with logged on users for scheduled automatic updates installations

2. Always automatically restart at scheduled time

3. Specify deadline before auto-restart for update installation

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartTransitionScheduleForFeatureUpdates

Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending.

You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.

You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.

If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart.

• If you disable or do not configure this policy, the PC will restart following the default schedule.

Enabling any of the following policies will override the above policy:

1. No auto-restart with logged on users for scheduled automatic updates installations

2. Always automatically restart at scheduled time

3. Specify deadline before auto-restart for update installation

Description framework properties:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/IgnoreMOAppDownloadLimit

Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.

To validate this policy:

1. Enable the policy and ensure the device is on a cellular network.

2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell:

   TShell

   exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
   

Description framework properties:

Allowed values:

./Device/Vendor/MSFT/Policy/Config/Update/IgnoreMOUpdateDownloadLimit

Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.

To validate this policy:

1. Enable the policy and ensure the device is on a cellular network.

2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell:

   TShell

   exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
   

Description framework properties:

Allowed values:

./Device/Vendor/MSFT/Policy/Config/Update/PauseDeferrals

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/PhoneUpdateRestrictions

This policy is deprecated. Use Update/RequireUpdateApproval instead.

Description framework properties:

./Device/Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/RequireUpdateApproval

Description framework properties:

Allowed values:

./Device/Vendor/MSFT/Policy/Config/Update/ScheduleImminentRestartWarning

Allows the IT Admin to specify the period for auto-restart imminent warning notifications. The default value is 15 (minutes).

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/ScheduleRestartWarning

Enable this policy to control when notifications are displayed to warn users about a scheduled restart for the update installation deadline. Users are not able to postpone the scheduled restart once the deadline has been reached and the restart is automatically executed.

Specifies the amount of time prior to a scheduled restart to display the warning reminder to the user.

You can specify the amount of time prior to a scheduled restart to notify the user that the auto restart is imminent to allow them time to save their work.

• If you disable or do not configure this policy, the default notification behaviors will be used.

Description framework properties:

Allowed values:

Group policy mapping:

./Device/Vendor/MSFT/Policy/Config/Update/SetAutoRestartNotificationDisable

Allows the IT Admin to disable auto-restart notifications for update installations.

Description framework properties:

Allowed values:

Group policy mapping:

Policy configuration service provider