Managing Compliance Deadlines for Windows
Keeping your Windows devices updated is critical today, not only from a security point of view, but a productivity one as Microsoft continues to deliver new features that spawn greater user innovation. Deploying these updates is only part of the equation when it. A computer can download a feature update for instance, but unless the computer is rebooted, it won’t be fully installed. Often, users will delay the rebooting process, thus prolonging the pending start status and preventing it from attaining compliance. That’s why you must enforce compliance. Both Group Policy and Microsoft Endpoint Manager (MEM) give admins the ability to create an enforceable compliance window to ensure that Windows update processes are fully completed.
Deadlines and Grace Periods
These compliance policies allow you to configure a deadline that defines the number of days until a device is forced to restart to ensure compliance. You can also configure an additional grace period to give users a little extra window if needed. Note that you are restricted to defined ranges when assigning these time windows. For Group Policy the ranges are as follows:
- For quality updates the deadline can be between 0 and 7 days.
- For feature updates the deadline can be between 0 and 14 days
- Grace periods are limited to 0 to 3 days regardless of the type of update
MEM provides longer durations to accommodate mobile devices.
- For quality updates the deadline can be between 2 and 30 days.
- For feature updates the deadline can be between 2 and 30 days
- Grace periods are limited to 0 to 7 days regardless of the type of update
For quality updates, the deadline and grace period start once the update is offered to the computer. In the case of feature updates, both start once the update has been installed and the computer reaches a pending restart state.
Configuring Compliance Policies
To enforce a compliance policy using the Group Policy Administrative Console, go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience and choose “Specify deadlines for automatic updates and restarts.” You can then configure the deadline and grace periods for both quality and feature updates as shown below.
Note that you have other settings available concerning the restarting process that you can assign as well.
To configure deadline and grace period durations using the Microsoft Endpoint Manager admin center and go to Devices > Create Update ring for Windows 10 and later. Turn on the Allow button to enable deadlines and then assign the deadline and grace period for each update category. Note that the deadlines and grace periods are appended to any configured deferral period. The process is shown in the screenshot below.
By enforcing update compliance for your Windows machines through GP or MDM, you can ensure that required update processes are completed, keeping your computers secure and maximizing user productivity.