Software Management > Profiles > Scan and Analysis
The ‘Only OS Updates’ Patch Strategy configures how updates for Windows and Apple machines are performed on assigned machines.
Individual Windows and Apple patches are not reviewed and selected using this option.
Third-party patches cannot be deployed using this strategy. Use "Third Party Software Updates + OS Updates" strategy if you want to configure 3rd-party software updates as well.
Using this strategy takes effect as soon as the machine is assigned to the profile. Wherever the profile is updated.
When this patch strategy is selected, two sections appear:
Configure Windows Group Policies Related to Windows Update
Mac OS Update Settings
Configure Windows Group Policies Related to Windows Update
This section contains all Windows Group Policies related to Windows Updates. They can be configured in VSA in a similar way to what an administrator would do on a Domain Controller if their organization uses Active Directory.
Policy can have following statuses:
Enabled - Windows behaves in the way specified by the policy and it uses the specified options if there are any. Endpoint user is not able to modify those settings in "Windows Update" application.
Disabled - The policy is turned off and endpoint user is not able to modify those settings in "Windows Update" application.
Not Configured - The policy is turned off, but endpoint user is able to modify those settings in "Windows Update" application.
Some policies contain variables and/or values required such as but not limited to: (hours, minutes, days)
After unassigning a machine from the profile all policies are set back to Not Configured status (default Windows configuration).
Windows policies configured in this section are applied on a machine level. It means that if an endpoint user configured any of the policies listed in this section, their configuration will be overridden when the scan and analysis profile is applied. However, this configuration has lower priority than Windows Policies configured by an administrator on a domain controller (in case their organization uses Active Directory).
To understand the Native Windows Patching Controls Configuration from Microsoft, please click here.
Configure Automatic Updates Policy
This policy specifies whether the computer will receive security updates and other important downloads through the Windows automatic updating service.
Note: This policy does not apply to Windows RT.
Policy can have following statuses:
Enabled – This option specifies that local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. However, local administrators will not be allowed to disable the configuration for Automatic Updates.
Disabled - If this option is selected, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
Not Configured – If this option is selected, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
Turn on recommended updates via Automatic Updates
This policy specifies whether Automatic Updates will deliver both important as well as recommended updates from the Windows Update service.
Policy can have following statuses:
Enabled – If this option is selected, Automatic Updates will install recommended updates as well as important updates from Windows Update service.
Disabled - If this option is selected, Automatic Updates will continue to deliver important updates if it is already configured to do so.
Not Configured - If this option is selected, Automatic Updates will continue to deliver important updates if it is already configured to do so.
Automatic Updates detection frequency
This policy specifies the hours that Windows will use to determine how long to wait before checking for available updates.
Note: The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect. If the "Configure Automatic Updates" policy is disabled, this policy has no effect. This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
Policy can have following statuses:
Enabled – If this option is selected, Windows will check for available updates at the specified interval.
Interval (hours) - The exact wait time is a sum of the specific value and a random variant of 0-4 hours.
Disabled - If this option is selected, Windows will check for available updates at the default interval of 22 hours.
Not Configured - If this option is selected, Windows will check for available updates at the default interval of 22 hours.
Allow Automatic Updates immediate installation
This policy specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.
Note:If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
Policy can have following statuses:
Enabled – If this option is selected, Automatic Updates will immediately install these updates once they are downloaded and ready to install.
Disabled - If this option is selected, Automatic Updates will not be installed immediately.
Not Configured - If this option is selected, Automatic Updates will not be installed immediately.
Allow signed updates from an intranet Microsoft update service location
This policy specifies whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
Note: Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting. This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
Policy can have following statuses:
Enabled – If this option is selected, Automatic Updates accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
Disabled – If this option is selected, Automatic Updates from an intranet Microsoft update service location must be signed by Microsoft.
Not Configured – If this option is selected, Automatic Updates from an intranet Microsoft update service location must be signed by Microsoft.
Delay restart for scheduled installations
This policy specifies the amount of time Automatic Updates will wait before proceeding with a scheduled restart.
Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
Policy can have following statuses:
Enabled – If this option is selected, a scheduled restart will occur after the specified number of minutes has expired.
Restart (minutes) - Specifies the amount of time (in minutes) Automatic Updates waits before proceeding with a scheduled restart.
Disabled - If this option is selected, the default wait time of fifteen minutes will elapse before any scheduled restart occurs.
Not Configured - If this option is selected, the default wait time of fifteen minutes will elapse before any scheduled restart occurs.
Enabling Windows Update Power Management to automatically wake up the computer to install scheduled updates
This policy specifies whether the Windows Update will use the Windows Power Management features to automatically wake up the system from hibernation, if there are updates scheduled for installation.
Policy can have following statuses:
Enabled – If this option is selected, Windows Update will only automatically wake up the system if Windows Update is configured to install updates automatically. If the system is in hibernation when the scheduled install time occurs and there are updates to be applied, then Windows Update will use the Windows Power management features to automatically wake the system up to install the updates.
Disabled - If this option is selected, the system will not wake unless there are updates to be installed. If the system is on battery power, when Windows Update wakes it up, it will not install updates and the system will automatically return to hibernation in 2 minutes.
Not Configured - If this option is selected, Windows Update does not wake the computer from hibernation to install updates.
No auto-restart with logged on users for scheduled automatic updates installations
This policy specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.
Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
Policy can have following statuses:
Enabled – If this option is selected, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer.
Note: The computer needs to be restarted for the updates to take effect.
Disabled - If this option is selected, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation.
Not Configured - If this option is selected, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation.
Re-prompt for restart with scheduled installations
This policy specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart.
Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect. This policy has no effect on Windows RT
Policy can have following statuses:
Enabled – If this option is selected, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed.
Restart (minutes) - specifies the number of minutes after the previous prompt.
Disabled - If this option is selected, the default interval is 10 minutes.
Not Configured - If this option is selected, the default interval is 10 minutes.
Do not display `Install Updates and Shut Down` option in Shut Down Windows dialog box
This policy allows to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Windows dialog box.
Policy can have following statuses:
Enabled – If this option is selected, the 'Install Updates and Shut Down' will not appear as a choice in the Shut Down Windows dialog box, even if updates are available for installation when the user selects the Shut Down option in the Start menu.
Disabled - If this option is selected, the 'Install Updates and Shut Down' option will be available in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu.
Not Configured - If this option is selected, the 'Install Updates and Shut Down' option will be available in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu.
Do not adjust default option to `Install Updates and Shut Down` in Shut Down Windows dialog box
This policy allows to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog.
Note: This policy setting has no impact if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabled.
Policy can have following statuses:
Enabled – If this option is selected, the user's last shut down choice (Hibernate, Restart, etc.) is the default option in the Shut Down Windows dialog box, regardless of whether the 'Install Updates and Shut Down' option is available in the 'What do you want the computer to do?' list.
Disabled - If this option is selected, the 'Install Updates and Shut Down' option will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Down option in the Start menu.
Not Configured - If this option is selected, the 'Install Updates and Shut Down' option will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Down option in the Start menu.
Turn on Software Notifications
This policy allows to control whether users see detailed enhanced notification messages about featured software from the Microsoft Update service. Enhanced notification messages convey the value and promote the installation and use of optional software. This policy setting is intended for use in loosely managed environments in which you allow the end user access to the Microsoft Update service. By default, this policy setting is disabled.
Note: By default, this policy setting is disabled. If you are not using the Microsoft Update service, then the Software Notifications policy setting has no effect. If the "Configure Automatic Updates" policy setting is disabled or is not configured, then the Software Notifications policy setting has no effect.
Policy can have following statuses:
Enabled – If this option is selected, a notification message will appear on the user's computer when featured software is available. The user can click the notification to open the Windows Update Application and get more information about the software or install it. The user can also click "Close this message" or "Show me later" to defer the notification as appropriate.
Disabled - If this option is selected, Windows 7 users will not be offered detailed notification messages for optional applications, and Windows Vista users will not be offered detailed notification messages for optional applications or updates.
Not Configured - If this option is selected, Windows 7 users will not be offered detailed notification messages for optional applications, and Windows Vista users will not be offered detailed notification messages for optional applications or updates.
Always automatically restart at the scheduled time
This policy specifies a restart timer always begins immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
Note: If the "No auto-restart with logged on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect.
Policy can have following statuses:
Enabled – If this option is selected, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
Work (minutes) - configures the restart timer to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users.
Disabled - If this option is selected, Windows Update will not alter its restart behavior.
Not Configured - If this option is selected, Windows Update will not alter its restart behavior.
Do not connect to any Windows Update Internet locations
This policy specifies to not retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store, when Windows Update is configured to receive updates from an intranet update service.
Note: This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
Policy can have following statuses:
Enabled – If this option is selected, it will disable functionality to retrieve information from the public Windows Update service, and may cause connection to public services such as the Windows Store to stop working.
Disabled - If this option is selected, it will not disable functionality to retrieve information from the public Windows Update service.
Not Configured - If this option is selected, it will not disable functionality to retrieve information from the public Windows Update service.
Select when Preview Builds and Feature Updates are received
This policy specifies the level of Preview Build or Feature Updates to receive.
Policy can have following statuses:
Enabled – If this option is selected, it specifies the level of Preview Build or Feature Updates to receive, and when.
Select the Windows readiness level for the updates you want to receive -
Preview Build - Fast: Devices set to this level will be the first to receive new builds of Windows with features not yet available to the general public. Select Fast to participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality.
Preview Build - Slow: Devices set to this level receive new builds of Windows before they are available to the general public, but at a slower cadence than those set to Fast, and with changes and fixes identified in earlier builds.
Release Preview: Receive builds of Windows just before Microsoft releases them to the general public.
Semi-Annual Channel (Targeted): Receive feature updates when they are released to the general public.
Semi-Annual Channel: Feature updates will arrive when they are declared Semi-Annual Channel. This usually occurs about 4 months after Semi-Annual Channel (Targeted), indicating that Microsoft, Independent Software Vendors (ISVs), partners and customer believe that the release is ready for broad deployment.
After a Preview Build or Feature Update is released, defer receiving it for this many days - You can defer receiving Preview Builds for up to 14 days.
Pause Preview Builds or Feature Updates starting (format yyyy-mm-dd example 2016-10-30) - To prevent Preview Builds from being received on their scheduled time, you can temporarily pause them. The pause will remain in effect for 35 days from the start time provided. To resume receiving Feature Updates which are paused, clear the start date field.
Disabled - If this option is selected, Windows Update will not alter policy behavior.
Not Configured - If this option is selected, Windows Update will not alter policy behavior.
Select when Quality Updates are received
This policy specifies when to received Quality Updates.
Note: If the "Allow Telemetry" policy is set to 0, this policy will have no effect.
Policy can have following statuses:
Enabled – If this option is selected, specifies when to receive quality updates.
After a quality update is released, defer receiving it for this many days – You can defer receiving quality updates for up to 30 days.
Pause Quality Updates starting – To prevent quality updates from being received on their scheduled time, you can temporarily pause quality updates. The pause will remain in effect for 35 days or until you clear the start date field.
Disabled - If this option is selected, Windows Update will not alter policy behavior.
Not Configured - If this option is selected, Windows Update will not alter policy behavior.
Allow updates to be downloaded automatically over metered connections
This policy specifies whether or not to download updates automatically, even over metered data connections.
Policy can have following statuses:
Enabled – If this option is selected, the updates will be automatically downloaded, even over metered data connections.
Disabled - If this option is selected, the updates will not be automatically downloaded.
Not Configured - If this option is selected, the updates will not be automatically downloaded.
Turn off auto-restart for updates during active hours
This policy specifies the PC not to restart automatically after updates during active hours. If any of the following two policies are enabled, this policy has no effect:
No auto-restart with logged on users for scheduled automatic updates installations.
Always automatically restart at scheduled time.
Policy can have following statuses:
Enabled – If this option is selected, the PC will not automatically restart after updates during active hours. The PC will attempt to restart outside of active hours.
Start – specifies the start time for updates.
End- specifies the end time for updates.
Note: The default max active hours range is 18 hours from the active hours start time unless otherwise configured via the Specify active hours range for auto-restarts policy.
Disabled - If this option is selected, the user selected active hours will be in effect.
Not Configured - If this option is selected, the user selected active hours will be in effect.
Specify intranet Microsoft update service location
This policy specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
Note: If the "Configure Automatic Updates" policy is disabled, then this policy has no effect. If the "Alternate Download Server" is not set, it will use the intranet update service by default to download updates.
Policy can have following statuses:
Enabled – If this option is selected, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates.
Set the intranet update service for detecting updates - specifies a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
Set the intranet statistics server - specifies a server on your network to function as an intranet statistics server.
Set the alternate download server – specifies the Windows Update Agent to download files from an alternative download server instead of the intranet update service.
Download files with no Url in the metadata if alternate download server is set - allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server. This option is only used if the "Alternate Download Server" is set.
Disabled - If this option is selected, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
Not Configured - If this option is selected, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
Configure auto-restart reminder notifications for updates
This policy specifies when auto-restart reminders are displayed.
Policy can have following statuses:
Enabled – If this option is selected, you must specify the period to notify the user.
Period (min) - specifies the amount of time prior to a scheduled restart to notify the user.
Disabled - If this option is selected, the default period will be used.
Not Configured - If this option is selected, the default period will be used.
Configure auto-restart required notification for updates
This policy specifies the method by which the auto-restart required notification is dismissed.
Policy can have following statuses:
Enabled – If this option is selected, you must specify method by which the auto-restart required notification is dismissed. When a restart is required to install updates, the auto-restart required notification is displayed. By default, the notification is automatically dismissed after 25 seconds.
Method – must be set to require user action to dismiss the notification.
Disabled - If this option is selected, the default method will be used.
Not Configured - If this option is selected, the default method will be used.
Configure auto-restart warning notifications schedule for updates
This policy allows to control when notifications are displayed to warn users about a scheduled restart for the update installation deadline.
Policy can have following statuses:
Enabled – If this option is selected, notifications are displayed to warn users about a scheduled restart for the update installation deadline. Users are not able to postpone the scheduled restart once the deadline has been reached and the restart is automatically executed.
Reminder (hours) - specifies the amount of time prior to a scheduled restart to display the warning reminder to the user.
Warning (mins) - the amount of time prior to a scheduled restart to notify the user that the auto restart is imminent to allow them time to save their work.
Disabled - If this option is selected, the default notification behaviors will be used.
Not Configured - If this option is selected, the default notification behaviors will be used.
Maximum Background Download Bandwidth (percentage)
This policy specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
Policy can have following statuses:
Enabled – If this option is selected, the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
Maximum Background Download Bandwidth (percentage) - The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
Disabled - If this option is selected, the maximum background download bandwidth that Delivery Optimization does not use across all concurrent download activities as a percentage of available download bandwidth.
Not Configured - If this option is selected, the maximum background download bandwidth that Delivery Optimization does not use across all concurrent download activities as a percentage of available download bandwidth.
Maximum Foreground Download Bandwidth (percentage)
This policy specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
Policy can have following statuses:
Enabled – If this option is selected, the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
Maximum Foreground Download Bandwidth (percentage) - The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
Disabled - If this option is selected, the maximum background download bandwidth that Delivery Optimization does not use across all concurrent download activities as a percentage of available download bandwidth.
Not Configured - If this option is selected, the maximum background download bandwidth that Delivery Optimization does not use across all concurrent download activities as a percentage of available download bandwidth.
Mac OS Update Settings
The following Mac OS settings are checked in the System Preferences > Apple Store dialog for each Operating System Update value selected in Software Management.
In Software Management
Ask user to download and install
Automatically download and ask user to install
Automatically download and schedule installation
Require automatic updates but let user configure
Turn off Operating System Update
Automatically check for updates
Download Newly available updates in Background
Install app updates
Install OS X updates
Install system data files and security updates
Mapping to MacOS Software Update
Automatically check for updates. This checkbox is selected by default.
Automatically install MacOS updates. This is disabled until Automatically check for updates are activated. This checkbox is selected by default.
Automatically install app updates from the App Store. This is disabled until Automatically check for updates are activated.This checkbox is selected by default.
Automatically install system data files and security updates.This is disabled until Automatically check for updates are activated.This checkbox is selected by default.
Note: MacOS Software Update Settings options should be deployed during machine scan process.
Windows Native Patching Monitoring
This feature can work only if there are no other applications trying aggressively to change the Windows Update GPO. In case there is such an application the feature will stop trying to enforce its configuration and log the following log to the Windows Event Log:
"Software Management Native OS feature stopped Windows Patch Group Policy management due to external application interference." The log can also be seen on the following screenshot:
Note: If case of this log the problem has to be investigated further. Once it is fixed the machine needs to be restarted or the profile reapplied from the VSA.
Software Management Native OS feature will stop applying the configuration and write the warning if there are over 20 changes in the OS patching GPOs in one hour.
