Deploy Windows Updates to your Devices

The JumpCloud agent can be used to control the download and deployment of Windows Updates to Windows devices with the Windows Update Policy, Configure Windows Updates. These policies are only for Windows desktop machines. 

The JumpCloud agent can control:

• Automatic installation of minor updates that do not require a reboot.
• Automatic installation of updates during an automatic maintenance window (if this option is chosen).

The JumpCloud agent can't control:

• Which updates are being pushed outside of the checkboxes, making the distinction between “minor” and “standard” Microsoft updates.

Prerequisites:
See Get Started: Policies for prerequisites and for how you can apply JumpCloud Policies to your Devices.

To create the policy, configure the options available in the policy outlined below.

Update Settings

To configure the Update Settings portion of the policy, select from the options outlined below.

Automatically install minor updates - Specifies whether Windows will automatically install minor updates that do not require a reboot.

Automatically install updates - Specifies whether to automatically install updates. The exact behavior of this depends on the options chosen under the Automatic Updates Behavior window below:

• Notify before downloading and installing any updates.
• Download the updates automatically and notify when they are ready to be installed.
• Automatically download updates and install them on the schedule specified below.
• Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates.

Specify the day(s) of the week to install updates - Specifies when updates will be installed. Only applicable when automatic updates behavior is set to Automatically download updates and install them on the schedule specified below. Options are "every day" or you can specify a single day of the week to repeat.

Specify the time of day to install updates - Specifies when updates will be installed. Only applicable when automatic updates behavior is set to Automatically download updates and install them on the schedule specified below. Options are from 00:00 (midnight) to 23:00 (11pm).

Install updates frequency - Specifies when updates will be installed. Only applicable when automatic updates behavior is set to Automatically download updates and install them on the schedule specified below. Options are:

• Install every week of every month on the weekday specified. 
• Specify which week you want the updates installed, also on the weekday specified.

Automatic updates detection frequency - Specifies the number of hours the device waits between checks for Windows updates. The wait time is the sum of the value specified and a random variant of 0-4. The maximum value is 22. The default value is 6.

Turn off auto-restart for updates during active hours - Specifies whether the device will automatically restart after downloading updates during active hours. If this policy is enabled, the device will attempt to restart outside of active hours. 

Automatically install updates during automatic maintenance - Automatic maintenance occurs when the PC is not in use. This preempts any schedule set in the above options. Only available on Windows 8 and later.

Include updates for other Microsoft products - Specifies whether updates for other Microsoft products in addition to Windows are included when automatically updating.

Do not include drivers with Windows Update - Specifies whether drivers are automatically downloaded with the Windows Updates.

Remove access to pause updates - Specifies whether your users will be able to pause automatic updates. If enabled, the update workflow will follow the scheduled update process configured by the organization.

Remove access to use all Windows Update features - Specifies whether your users can manually check for new Windows Updates. If enabled, the Check for updates button will be greyed out. By default, this policy is enabled. 

Enable Windows Update Power Management to automatically wake up the device to install scheduled updates - Specifies whether Windows Update will automatically wake the device from sleep mode to install updates. This will occur both when the updates are pushed to the device and if an install deadline passes while the device is in sleep mode. 

• If the device is on battery power when Windows Update wakes it, it will not install updates and the device will automatically return to sleep in 2 minutes.

Specify active hours range for auto-restarts - Specifies the maximum number of hours that an employee can set for their active hours, from 8 to 18. If you disable or do not configure this policy, the value will be set to 10 hours. 

Disable feature upgrades via Windows Update - Prevents Windows feature upgrades from being installed through the Windows Update Service. Upgrades can still be installed manually. Supported on Windows 7 and 8.1.

Disable safeguards for feature updates - Specifies whether device safeguard holds can block feature updates from downloading. Safeguard holds are known compatibility issues that block the upgrade from being deployed to affected devices until the issue is resolved.

Manage preview builds - Specifies whether to prevent preview builds from downloading to the device. 

Select the target - Specifies a Feature Update version to be requested in subsequent update scans.

Limit Access to Versions of Windows Utilizing the Target Version

Administrators can block end users from certain versions of Windows using JumpCloud's Windows Update Policy. To do so:

1. Enable the Select the target option.
2. After checking the Select the Target box, two new input fields will appear:
   1. In the Which Windows product version would you like to receive feature updates for? field, enter either Windows 10 or Windows 11, depending on which version you want to limit your users to.
   2. In the Target Version for Feature Updates field, specify the version of Windows you want to limit your users to. For more information, see Supported versions of Windows client.
      

Notification Settings

To configure the Notification Settings portion of the policy, select from the options outlined below.

Configure auto-restart required notification for updates - Specifies when and how users will dismiss the required notification to auto-restart. This policy has two options:

• Auto: The notification will dismiss after a certain amount of time has passed.
• User Action: Default. The user will manually dismiss the notification. 

Configure auto-restart reminder notification for updates - Specifies the amount of time prior to a scheduled restart that a notification informing the user of the upcoming restart displays. By default, the value is 15 minutes. 

Configure auto-restart warning notification schedule for updates - Creates a schedule to remind and warn users about automatic scheduled restarts. You can specify the amount of time prior to a scheduled restart to notify the user that the restart is imminent. Users cannot postpone the restart once the deadline has passed. 

Allow non-administrators to receive update notifications - Specifies whether users who are not administrators receive update notifications. If enabled, non-administrative users will be able to install all optional, recommended, and important content when they receive a notification. Users will not see a User Account Control window and do not need elevated permissions to install these updates, except in the case of updates that contain User Interface, End User License Agreement, or Windows Update setting changes.

Display option for update notifications - Defines the update notifications you’d like users to see. The options are:

• 0 (default): Use the default Windows Update notifications
• 1: Turn off all notifications, excluding restart warnings
• 2: Turn off all notifications, including restart warnings

Deferral and Deadline Settings

To configure the Deferral and Deadline Settings portion of the policy, select from the options outlined below.

Defer updates (Windows 10 and Server 2016 + only) - Prevents updates from automatically installing for up to 1 month after release. This does not affect definitions updates. Supported by Windows 10 and Server 2016 and later. 

Defer feature upgrades - Defers automatic feature upgrade installation by the specified number of days, up to eight months. Requires telemetry to be set to 1 or more. If telemetry is set to 0, deferrals will be disabled. Only supported on Windows 10 and Server 2016 and later.

Specify deadline for restart - Specifies a deadline for the automatic restart necessary to complete update installation. The length of the deadline can be specified, and will occur outside of active hours. This setting is preempted by the policies, "No auto-restart with logged on users" and "Always automatically restart at a scheduled time." Supported on Windows Server 2016 and Windows 10 and later.

No auto-restart with logged on users for scheduled automatic updates - Does not execute an automatic restart after updates are automatically installed when users are logged in. Instead, users will be notified they need to reboot in order for updates to take effect. Only applicable when Automatic Updates are configured.