Windows Update Policy – Policy Creation & Association

Overview

The Windows Update Policy in Zecurit lets you define exactly how managed Windows devices download, install, and restart after updates. Instead of relying on default Windows settings — which vary per device — you create a centralized policy inside a Profile and push it to any device group in your organization.

This page walks you through creating a new profile, configuring the Windows Update Policy within it, and associating it with your devices.

Prerequisites

• You must have a Zecurit account with administrator access.
• At least one device group should exist under Groups and Devices before association.
• Devices must be enrolled in Zecurit to receive the policy.

Step 1 : Create a New Profile

1. In the left sidebar, go to Configurations → Create Profile.
2. Enter a Profile Name : for example, Windows Patch.
3. Enter a Description : for example, Patch for IT Dept.
4. Click Continue.

Tip: Use descriptive profile names that reflect the target audience or policy intent (e.g., IT-Patch-Strict vs. HR-Patch-Deferred). This makes it easier to manage multiple profiles as your organization grows.

Step 2 : Open Windows Update Policy

After clicking Continue, you will land on the profile configuration screen. In the left panel under the profile name, you will see several policy categories:

• BitLocker
• Device Access Control
• Application Control
• Power Management
• Firewall
• User Management
• Windows Update Policy ← Select this

Click Windows Update Policy to begin configuring update behavior.

Step 3 : Configure Automatic Updates

Under Automatic Updates Configurations, choose one of the following modes:

Option	Behavior	Recommended For
Notify for download and install	Users are notified before anything is downloaded	Environments where users manage their own workflow
Auto download and notify for install	Downloads happen silently; users choose when to install	Most organizations
Auto download and schedule install	Fully automated download and installation	IT-managed devices with no user interaction needed
Disable automatic updates	No automatic updates — manual only	Highly controlled or air-gapped environments

Best Practice: For most organizations, Auto download and schedule install is recommended as it ensures consistent patching without relying on end-user action.

Step 4 : Set Update Deferrals

Under Update Deferrals, you can delay updates to allow time for testing before broad rollout.

Defer Quality Updates (Security)

• Set the number of days to delay monthly security and critical updates (max 30 days).
• Example: 7 days gives your IT team time to test patches on pilot machines before rolling out to the full fleet.

Defer Feature Updates

• Delay major Windows version upgrades (max 365 days).
• Example: 30 days is a common setting to avoid being on a new Windows feature release on day one.

Defer Quality Updates (Security) — Version Pin

• Enter a specific Windows build (e.g., 24H2.24H3) to pin devices to a known-good version.

Product Version

• Select the Windows version to target (e.g., Windows 11) from the dropdown.

Step 5 : Configure User Experience Settings

Setting	Description	Recommended
Allow users to pause updates	Lets users temporarily delay updates from Settings	Off for strict environments
Remove access to Windows Update	Hides Windows Update in Settings for end users	On for IT-managed fleets
Allow non-administrators to receive update notifications	Notifies all users (not just admins) about pending updates	On
Update Notification Level	Controls the verbosity of update notifications (Default, Disabled, Basic, etc.)	Default

Step 6 – Set Active Hours & Restart Behavior

Preventing forced restarts during work hours is critical for user productivity.

Configure Active Hours

• Toggle On to prevent automatic restarts during business hours.
• Set Active Hours Start and Active Hours End (maximum range: 18 hours).
• Example: 08:00 AM to 06:00 PM

Restart Deadlines

• Restart Deadline (Quality Updates): Number of days before a forced restart for quality updates (2–14 days). Example: 7 days.
• Restart Deadline (Feature Updates): Number of days before a forced restart for feature updates (2–14 days). Example: 7 days.

Grace Period

• Days after a restart becomes pending before users are notified (0–7 days). Example: 7 days.

Re-prompt for Restart

• Interval in minutes for restart reminder popups (10–1440 minutes). Example: 240 minutes (every 4 hours).

No auto-restart with logged-on users

• Toggle On to prevent automatic restart when users are actively working. Devices will restart at the next available window.

Auto-restart with logged-on users

• Toggle On only if you need to force restarts even when users are logged in (typically used for critical security patches in high-risk environments).

Use Case: For a hospital IT environment where nurses use shared workstations 24/7, enable No auto-restart with logged-on users and set a Grace Period of 7 days with a 240-minute re-prompt interval to balance security and workflow continuity.

Step 7 : Configure Additional Update Options

Option	Description
Install updates for other Microsoft products	Applies updates to Office, Edge, and other Microsoft apps
Include driver updates	Allows Windows Update to also install device drivers
Install recommended updates	Treats recommended updates the same as important ones

Toggle each option based on your organization’s needs. For most organizations, enabling Install updates for other Microsoft products is strongly recommended to keep Office and Edge patched alongside Windows.

Step 8 : Configure Update Sources

Use WSUS Server If your organization uses Windows Server Update Services (WSUS) to centralize update distribution:

1. Toggle Use WSUS Server to On.
2. Enter the WSUS Server URL (e.g., http://wsus.company.com:8530).
3. Enter the WSUS Status Server URL (usually the same URL).
4. Set Maximum Download Bandwidth and Maximum Upload Bandwidth as a percentage of available bandwidth (0 = unlimited).
5. Set Delivery Optimization Mode : HTTP only means updates come only from Microsoft/WSUS (no peer-to-peer sharing).

Use Case: Organizations with limited internet bandwidth at branch offices should use a local WSUS server and set a Maximum Download Bandwidth of 20% to prevent updates from saturating the WAN link during business hours.

Step 9 : Configure Advanced Options

Option	Description
Enable power management for scheduled installs	Wakes sleeping devices to install updates at the scheduled time
Do not connect to Windows Update Internet locations	Forces traffic through WSUS only — no direct Microsoft connections
Allow signed updates from intranet service	Accepts Microsoft-signed updates from the internal WSUS server
Feature Update Uninstall Period	Number of days to retain uninstall files for feature updates (default: 10 days)

Step 10 : Save and Publish

• Click Save to save the current configuration as a draft.
• Click Save as Draft to continue editing later.
• Click Publish to activate the policy. Once published, the policy will be applied to associated devices at the next check-in.

Step 11 : Associate the Profile with Device Groups

1. Navigate to Groups and Devices.
2. Select the device group you want to target (e.g., IT-Devices).
3. Click Assign Profile and select your newly created profile (e.g., Windows Patch).
4. Confirm the association. The policy will be pushed at the next device check-in.

Tip: You can associate the same profile with multiple groups, or create separate profiles for different departments with different deferral and restart settings.

Use Case: Full Walkthrough – IT Department Patching

Scenario: You want all IT department laptops to automatically download and install patches, defer quality updates by 7 days for testing, block restarts during 9 AM–6 PM, and route all updates through your internal WSUS server.

1. Go to Configurations → Create Profile → Name it IT-Windows-Patch → Click Continue.
2. Select Windows Update Policy in the left panel.
3. Set Automatic Updates to Auto download and schedule install.
4. Set Defer Quality Updates to 7 days and Defer Feature Updates to 30 days.
5. Toggle Configure Active Hours on → Set 09:00 AM to 06:00 PM.
6. Set Restart Deadline to 7 days for both quality and feature updates.
7. Enable Install updates for other Microsoft products.
8. Toggle Use WSUS Server on → Enter your WSUS URL.
9. Toggle Do not connect to Windows Update Internet locations on.
10. Click Publish.
11. Go to Groups and Devices → IT-Devices → Assign Profile → IT-Windows-Patch.

Your IT department devices will now receive a consistent, controlled patch experience automatically.

Related Pages

• Patch Management Overview
• Missing Patch Detection
• Zecurit Patch Management Product Page