{"id":3168,"date":"2026-02-20T12:08:57","date_gmt":"2026-02-20T12:08:57","guid":{"rendered":"https:\/\/zecurit.com\/help\/endpoint-management\/patch-management\/windows-update-policy\/"},"modified":"2026-02-20T12:36:59","modified_gmt":"2026-02-20T12:36:59","slug":"windows-update-policy","status":"publish","type":"docs","link":"https:\/\/zecurit.com\/help\/endpoint-management\/patch-management\/windows-update-policy\/","title":{"rendered":"Windows Update Policy \u2013 Policy Creation &#038; Association"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Overview<\/h2>\n\n\n\n<p>The <strong>Windows Update Policy<\/strong> in Zecurit lets you define exactly how managed Windows devices download, install, and restart after updates. Instead of relying on default Windows settings \u2014 which vary per device \u2014 you create a centralized policy inside a <strong>Profile<\/strong> and push it to any device group in your organization.<\/p>\n\n\n\n<p>This page walks you through creating a new profile, configuring the Windows Update Policy within it, and associating it with your devices.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Prerequisites<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You must have a Zecurit account with administrator access.<\/li>\n\n\n\n<li>At least one device group should exist under <strong>Groups and Devices<\/strong> before association.<\/li>\n\n\n\n<li>Devices must be enrolled in Zecurit to receive the policy.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Step 1 : Create a New Profile<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the left sidebar, go to <strong>Configurations \u2192 Create Profile<\/strong>.<\/li>\n\n\n\n<li>Enter a <strong>Profile Name<\/strong> : for example, <code>Windows Patch<\/code>.<\/li>\n\n\n\n<li>Enter a <strong>Description<\/strong> : for example, <code>Patch for IT Dept<\/code>.<\/li>\n\n\n\n<li>Click <strong>Continue<\/strong>.<\/li>\n<\/ol>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Tip:<\/strong> Use descriptive profile names that reflect the target audience or policy intent (e.g., <code>IT-Patch-Strict<\/code> vs. <code>HR-Patch-Deferred<\/code>). This makes it easier to manage multiple profiles as your organization grows.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Step 2 : Open Windows Update Policy<\/h2>\n\n\n\n<p>After clicking <strong>Continue<\/strong>, you will land on the profile configuration screen. In the left panel under the profile name, you will see several policy categories:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>BitLocker<\/li>\n\n\n\n<li>Device Access Control<\/li>\n\n\n\n<li>Application Control<\/li>\n\n\n\n<li>Power Management<\/li>\n\n\n\n<li>Firewall<\/li>\n\n\n\n<li>User Management<\/li>\n\n\n\n<li><strong>Windows Update Policy<\/strong> \u2190 Select this<\/li>\n<\/ul>\n\n\n\n<p>Click <strong>Windows Update Policy<\/strong> to begin configuring update behavior.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 3 : Configure Automatic Updates<\/h2>\n\n\n\n<p>Under <strong>Automatic Updates Configurations<\/strong>, choose one of the following modes:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Option<\/th><th>Behavior<\/th><th>Recommended For<\/th><\/tr><\/thead><tbody><tr><td><strong>Notify for download and install<\/strong><\/td><td>Users are notified before anything is downloaded<\/td><td>Environments where users manage their own workflow<\/td><\/tr><tr><td><strong>Auto download and notify for install<\/strong><\/td><td>Downloads happen silently; users choose when to install<\/td><td>Most organizations<\/td><\/tr><tr><td><strong>Auto download and schedule install<\/strong><\/td><td>Fully automated download and installation<\/td><td>IT-managed devices with no user interaction needed<\/td><\/tr><tr><td><strong>Disable automatic updates<\/strong><\/td><td>No automatic updates \u2014 manual only<\/td><td>Highly controlled or air-gapped environments<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Best Practice:<\/strong> For most organizations, <strong>Auto download and schedule install<\/strong> is recommended as it ensures consistent patching without relying on end-user action.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Step 4 : Set Update Deferrals<\/h2>\n\n\n\n<p>Under <strong>Update Deferrals<\/strong>, you can delay updates to allow time for testing before broad rollout.<\/p>\n\n\n\n<p><strong>Defer Quality Updates (Security)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set the number of days to delay monthly security and critical updates (max 30 days).<\/li>\n\n\n\n<li>Example: <code>7 days<\/code> gives your IT team time to test patches on pilot machines before rolling out to the full fleet.<\/li>\n<\/ul>\n\n\n\n<p><strong>Defer Feature Updates<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Delay major Windows version upgrades (max 365 days).<\/li>\n\n\n\n<li>Example: <code>30 days<\/code> is a common setting to avoid being on a new Windows feature release on day one.<\/li>\n<\/ul>\n\n\n\n<p><strong>Defer Quality Updates (Security) \u2014 Version Pin<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enter a specific Windows build (e.g., <code>24H2.24H3<\/code>) to pin devices to a known-good version.<\/li>\n<\/ul>\n\n\n\n<p><strong>Product Version<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Select the Windows version to target (e.g., <code>Windows 11<\/code>) from the dropdown.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Step 5 : Configure User Experience Settings<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Setting<\/th><th>Description<\/th><th>Recommended<\/th><\/tr><\/thead><tbody><tr><td>Allow users to pause updates<\/td><td>Lets users temporarily delay updates from Settings<\/td><td>Off for strict environments<\/td><\/tr><tr><td>Remove access to Windows Update<\/td><td>Hides Windows Update in Settings for end users<\/td><td>On for IT-managed fleets<\/td><\/tr><tr><td>Allow non-administrators to receive update notifications<\/td><td>Notifies all users (not just admins) about pending updates<\/td><td>On<\/td><\/tr><tr><td>Update Notification Level<\/td><td>Controls the verbosity of update notifications (Default, Disabled, Basic, etc.)<\/td><td>Default<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Step 6 \u2013 Set Active Hours &amp; Restart Behavior<\/h2>\n\n\n\n<p>Preventing forced restarts during work hours is critical for user productivity.<\/p>\n\n\n\n<p><strong>Configure Active Hours<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Toggle <strong>On<\/strong> to prevent automatic restarts during business hours.<\/li>\n\n\n\n<li>Set <strong>Active Hours Start<\/strong> and <strong>Active Hours End<\/strong> (maximum range: 18 hours).<\/li>\n\n\n\n<li>Example: <code>08:00 AM<\/code> to <code>06:00 PM<\/code><\/li>\n<\/ul>\n\n\n\n<p><strong>Restart Deadlines<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Restart Deadline (Quality Updates):<\/strong> Number of days before a forced restart for quality updates (2\u201314 days). Example: <code>7 days<\/code>.<\/li>\n\n\n\n<li><strong>Restart Deadline (Feature Updates):<\/strong> Number of days before a forced restart for feature updates (2\u201314 days). Example: <code>7 days<\/code>.<\/li>\n<\/ul>\n\n\n\n<p><strong>Grace Period<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Days after a restart becomes pending before users are notified (0\u20137 days). Example: <code>7 days<\/code>.<\/li>\n<\/ul>\n\n\n\n<p><strong>Re-prompt for Restart<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Interval in minutes for restart reminder popups (10\u20131440 minutes). Example: <code>240 minutes<\/code> (every 4 hours).<\/li>\n<\/ul>\n\n\n\n<p><strong>No auto-restart with logged-on users<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Toggle <strong>On<\/strong> to prevent automatic restart when users are actively working. Devices will restart at the next available window.<\/li>\n<\/ul>\n\n\n\n<p><strong>Auto-restart with logged-on users<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Toggle <strong>On<\/strong> only if you need to force restarts even when users are logged in (typically used for critical security patches in high-risk environments).<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Use Case:<\/strong> For a hospital IT environment where nurses use shared workstations 24\/7, enable <strong>No auto-restart with logged-on users<\/strong> and set a <strong>Grace Period<\/strong> of 7 days with a 240-minute re-prompt interval to balance security and workflow continuity.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Step 7 : Configure Additional Update Options<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Option<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>Install updates for other Microsoft products<\/td><td>Applies updates to Office, Edge, and other Microsoft apps<\/td><\/tr><tr><td>Include driver updates<\/td><td>Allows Windows Update to also install device drivers<\/td><\/tr><tr><td>Install recommended updates<\/td><td>Treats recommended updates the same as important ones<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Toggle each option based on your organization&#8217;s needs. For most organizations, enabling <strong>Install updates for other Microsoft products<\/strong> is strongly recommended to keep Office and Edge patched alongside Windows.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 8 : Configure Update Sources<\/h2>\n\n\n\n<p><strong>Use WSUS Server<\/strong> If your organization uses Windows Server Update Services (WSUS) to centralize update distribution:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Toggle <strong>Use WSUS Server<\/strong> to <strong>On<\/strong>.<\/li>\n\n\n\n<li>Enter the <strong>WSUS Server URL<\/strong> (e.g., <code>http:\/\/wsus.company.com:8530<\/code>).<\/li>\n\n\n\n<li>Enter the <strong>WSUS Status Server URL<\/strong> (usually the same URL).<\/li>\n\n\n\n<li>Set <strong>Maximum Download Bandwidth<\/strong> and <strong>Maximum Upload Bandwidth<\/strong> as a percentage of available bandwidth (0 = unlimited).<\/li>\n\n\n\n<li>Set <strong>Delivery Optimization Mode<\/strong> : <code>HTTP only<\/code> means updates come only from Microsoft\/WSUS (no peer-to-peer sharing).<\/li>\n<\/ol>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Use Case:<\/strong> Organizations with limited internet bandwidth at branch offices should use a local WSUS server and set a Maximum Download Bandwidth of <code>20%<\/code> to prevent updates from saturating the WAN link during business hours.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Step 9 : Configure Advanced Options<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Option<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>Enable power management for scheduled installs<\/td><td>Wakes sleeping devices to install updates at the scheduled time<\/td><\/tr><tr><td>Do not connect to Windows Update Internet locations<\/td><td>Forces traffic through WSUS only \u2014 no direct Microsoft connections<\/td><\/tr><tr><td>Allow signed updates from intranet service<\/td><td>Accepts Microsoft-signed updates from the internal WSUS server<\/td><\/tr><tr><td>Feature Update Uninstall Period<\/td><td>Number of days to retain uninstall files for feature updates (default: 10 days)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Step 10 : Save and Publish<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click <strong>Save<\/strong> to save the current configuration as a draft.<\/li>\n\n\n\n<li>Click <strong>Save as Draft<\/strong> to continue editing later.<\/li>\n\n\n\n<li>Click <strong>Publish<\/strong> to activate the policy. Once published, the policy will be applied to associated devices at the next check-in.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Step 11 : Associate the Profile with Device Groups<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Navigate to <strong>Groups and Devices<\/strong>.<\/li>\n\n\n\n<li>Select the device group you want to target (e.g., <code>IT-Devices<\/code>).<\/li>\n\n\n\n<li>Click <strong>Assign Profile<\/strong> and select your newly created profile (e.g., <code>Windows Patch<\/code>).<\/li>\n\n\n\n<li>Confirm the association. The policy will be pushed at the next device check-in.<\/li>\n<\/ol>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Tip:<\/strong> You can associate the same profile with multiple groups, or create separate profiles for different departments with different deferral and restart settings.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Use Case: Full Walkthrough \u2013 IT Department Patching<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Scenario:<\/strong> You want all IT department laptops to automatically download and install patches, defer quality updates by 7 days for testing, block restarts during 9 AM\u20136 PM, and route all updates through your internal WSUS server.<\/p>\n<\/blockquote>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Configurations \u2192 Create Profile<\/strong> \u2192 Name it <code>IT-Windows-Patch<\/code> \u2192 Click <strong>Continue<\/strong>.<\/li>\n\n\n\n<li>Select <strong>Windows Update Policy<\/strong> in the left panel.<\/li>\n\n\n\n<li>Set <strong>Automatic Updates<\/strong> to <code>Auto download and schedule install<\/code>.<\/li>\n\n\n\n<li>Set <strong>Defer Quality Updates<\/strong> to <code>7 days<\/code> and <strong>Defer Feature Updates<\/strong> to <code>30 days<\/code>.<\/li>\n\n\n\n<li>Toggle <strong>Configure Active Hours<\/strong> on \u2192 Set <code>09:00 AM<\/code> to <code>06:00 PM<\/code>.<\/li>\n\n\n\n<li>Set <strong>Restart Deadline<\/strong> to <code>7 days<\/code> for both quality and feature updates.<\/li>\n\n\n\n<li>Enable <strong>Install updates for other Microsoft products<\/strong>.<\/li>\n\n\n\n<li>Toggle <strong>Use WSUS Server<\/strong> on \u2192 Enter your WSUS URL.<\/li>\n\n\n\n<li>Toggle <strong>Do not connect to Windows Update Internet locations<\/strong> on.<\/li>\n\n\n\n<li>Click <strong>Publish<\/strong>.<\/li>\n\n\n\n<li>Go to <strong>Groups and Devices \u2192 IT-Devices \u2192 Assign Profile \u2192 IT-Windows-Patch<\/strong>.<\/li>\n<\/ol>\n\n\n\n<p>Your IT department devices will now receive a consistent, controlled patch experience automatically.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Related Pages<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/zecurit.com\/help\/endpoint-management\/patch-management\/\">Patch Management Overview<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/zecurit.com\/help\/endpoint-management\/patch-management\/missing-patch-detection\/\">Missing Patch Detection<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/zecurit.com\/endpoint-management\/patch-management\/\">Zecurit Patch Management Product Page<\/a><\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"featured_media":0,"parent":3147,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","doc_tag":[],"class_list":["post-3168","docs","type-docs","status-publish","hentry"],"comment_count":0,"_links":{"self":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/types\/docs"}],"replies":[{"embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/comments?post=3168"}],"version-history":[{"count":1,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3168\/revisions"}],"predecessor-version":[{"id":3173,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3168\/revisions\/3173"}],"up":[{"embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3147"}],"next":[{"title":"Missing Patch Detection : How to Find Missing Patches","link":"https:\/\/zecurit.com\/help\/endpoint-management\/patch-management\/missing-patch-detection\/","href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3169"}],"wp:attachment":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/media?parent=3168"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/doc_tag?post=3168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}