Create a Windows Update policy - Legacy UI

SECURITY  Permission to manage Policies at account and/or site level

NAVIGATION  Legacy UI > Account > Policies

NAVIGATION  Legacy UI > Sites > select a site > Policies

Refer to Windows Update policy in Policies.

About Windows Update, Windows Update policy, and Patch Management policy

When Windows Update is enabled on a device, you allow Microsoft to take control of update installations. A Windows Update policy in Datto RMM allows you not only to manage the settings of Windows Update but also to control the installation of updates. Windows Update policies can be created at the account or site level. Refer to Create a policy.

To ensure that a device only receives updates that you have approved, we recommend that you do the following:

  1. Target the device with a Windows Update policy and select Turn off Automatic Updates in the Legacy Settings section.
  2. Target the device with a Patch Management policy as well and specify the patches you want to approve. Refer to Create a Patch Management policy - Legacy UI.

For more information on how to turn off automatic updates, refer to Disable automatic Windows Updates.

NOTE  Patch Management support for macOS devices is available via the ComStore component Install Updates with SUPER [MAC]. For more information, refer to macOS Patch Management.

How to...

Windows Update policies can be created at the account or site level. Refer to Create a policy.

  1. On the Policy page, click New account policy... or New site policy...
  2. Give the policy a Name.
  3. Select the type Windows Update.

  4. To copy an already existing policy to use it as a template, choose it from the Based on drop-down list. To create a new policy, select New Policy.

  5. Click Next.

  6. Click Add a target... to target your devices through a specific filter or group.

    If you want to target more than one filter or group, add another target to the policy. Multiple targets will apply the "OR" logic, that is, the policy will be run on a device if it is included in any of the targets. For more information about target types, refer to Filters - Legacy UI and Groups - Legacy UI.

    NOTE  Device filters contain all Default Device Filters and Custom Device Filters. Devices of Unknown device type will not be targeted by the policy.

  1. Configure the Universal Settings (all Windows versions) section. The screenshot below shows the default settings.
Field Description
Microsoft Update You can select the following option:
Give me updates for Microsoft products and check for new optional Microsoft software when updating Windows. - Selected by default.

NOTE  When this option is selected and applied in the policy, the change will not be visible in the Windows UI; however, the status can be queried by running get-wuservicemanager from a PowerShell prompt and verifying Microsoft Update is set to True.
WSUS If you have set up a Windows Server Update Services (WSUS) server, it will act as a central location for other Windows devices to pull updates from rather than each device downloading Windows updates separately. Essentially, the server acts like a local cache, but only for Windows patches.
The following options are available:
Change Endpoint WSUS Settings - Once selected, the rest of the options will become available. Enter the Server address (for example, http://192.168.1.1).
Do not allow any connections to Microsoft for Patching or Searching when using a WSUS Server.
Client-side Targeting Group Name - When this option is selected, you can enter a target group name or names separated by semicolons (if the intranet Microsoft update service supports multiple target groups). The specified target group information is then sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to the device. If this option is not configured, no target group information will be sent to the intranet Microsoft Update service.
  1. Configure the Windows as a Service Settings. The screenshot below shows the default settings.

NOTE  These settings apply to devices adopting the Windows as a service model (for example, Windows 10).

Field Description
Active Hours You can select the following option:
Configure Active Hours - Selected by default. When this option is selected, you can specify when active hours should start (00:00-23:00 hours) and for how long they should last (1-18 hours).
Update Channel The following options are available:
Change Update Channel settings for applicable devices - Selected by default. This setting also enables device telemetry. Once selected, you'll be able to choose between targeted or broad deployment.
Targeted Deployment: Updates are received immediately following general release (Current Branch)
Broad Deployment: Updates are received later, after receiving community feedback (Current Branch for Business) - Selected by default. Once selected, you'll be able to configure update deferral.
Defer Feature Updates - Selected by default. Once selected, specify if you want to Defer for the maximum time permissible according to OS Build (selected by default) OR Defer for a period as close as possible to X days (up to three numbers, integers only).
Defer Quality Updates - Selected by default. Once selected, specify if you want to Defer for the maximum time permissible according to OS Build (selected by default) OR Defer for a period as close as possible to X days (up to two numbers, integers only).

NOTE  If you choose the Defer for a period as close as possible to X days option, Datto RMM will defer to what the device's Windows version permits. Different versions of Windows have different maximum values. For example, if you enter 35 days but the device's Windows version only supports 28, the update will be deferred to 28 days.

NOTE  Security Updates fall under quality updates.
Peer Sharing Peer sharing can significantly reduce the amount of bandwith consumed for downloading updates. The following options are available:
Permit devices to share Windows Updates within local network - Once selected, the next option will become available as well.
Permit devices to share Windows Updates outside of local network
Fast Startup You can select the following option:
Disable Windows Fast Startup - Selected by default. Selected by default. When this option is selected, updates will be installed on both shutdown and reboot (instead of only on reboot).
  1. Configure the Legacy Settings. The screenshot below shows the default settings.

NOTE  The settings in this section are primarily for operating systems older than Windows 10. However, based on changes from Microsoft, these settings now also work on devices running Windows 10 version 2004 and newer.

Field Description
Configure Updates Select one of the following options:
Automatically detect recommended updates for my computer and install them.
Download updates for me, but let me choose when to install them.
Notify me of updates, but do not automatically install them.
Turn off Automatic Updates. - Selected by default. When selected, the rest of the configuration options will be disabled and unselected. For more information, refer to Disable automatic Windows Updates.
Install new updates Allows you to select on which day and at what time you want to install the updates.
Recommended updates You can select this option:
Give me recommended updates the same way I receive important updates.
Who can install updates You can select this option:
Allow non-Administrative Endpoint Accounts to receive update notifications.
Restart behavior You can select any of the following options:
No auto-restart with logged on users for scheduled Automatic Updates installations. - If this setting is not selected, Automatic Updates will notify the user that the device will automatically restart in 5 minutes to complete the scheduled installations. If checked, Automatic Updates will wait for the device to be restarted by any user who is logged on, instead of causing the device to restart automatically.
Re-prompt for restart with scheduled installations. (Maximum 1440 minutes) - If this setting is not selected, the default delay of 10 minutes will be used. If the setting is enabled, the restart will occur the specified number of minutes after the previous prompt for restart was postponed.
Delay restart for scheduled installations. (Maximum 30 minutes) - If this setting is not selected, the default delay of 15 minutes will be used. If the setting is enabled, the restart will occur the specified number of minutes after the installation is complete.

  1. Click Save and Push Changes.
    If you click Save Only, you'll be directed to your list of policies where you can click Push changes... next to the policy in question.

NOTE  If you click Save Only (legacy UI) or Save and Deploy Later (New UI) instead of Save and Push Changes (legacy UI) or Save and Deploy Now (New UI) when creating or updating a policy, the changes will still be deployed at midnight in your time zone because policies are automatically deployed every 24 hours.

NOTE  The Windows Update service gets restarted when a Windows Update policy is running. However, if patches are being installed via a Patch Management policy at the same time, the Windows Update service will not be restarted, and this will be noted in the Agent logs. If an audit is in progress while a Windows Update policy is running, the Windows Update service will wait for the audit to finish before restarting. This occurs in incremental periods (30, 60, 90, 120, 150, and 180 seconds; that is, a total of 10.5 minutes). If the audit does not complete within this period, the Windows Update service will not be restarted, and this will be noted in the Agent logs. The Windows Update service will be restarted at the next Windows Update policy run time, and all recent changes will then be applied to the targeted devices.

If you are using a Datto RMM Patch Management policy to install only the patches you have selected, you do not want the automatic settings of Windows Update installing patches you have not approved.

The most elegant way to do that is to create a Windows Update policy to disable Automatic Windows Update on the devices you want to patch.

IMPORTANT  Windows updates cannot be disabled on devices running Windows 10 build 1909 and below; however, you can configure various aspects of the updates (as discussed in the Windows as a Service Settings section in Specify the policy details for a Windows Update policy above). For more information about Windows as a service and Datto RMM Patch Management, refer to Patch Management and Windows as a service.

The steps below discuss how to disable Windows updates on devices not adopting the Windows as a service model.

  1. Create a new Windows Update policy. Refer to the steps specified above.
  2. Under Legacy Settings > Configure Updates, select Turn off Automatic Updates. This will leave the rest of the options cleared.

  1. Click Save and Push Changes.
    If you click Save Only, you'll be directed to your list of policies where you can click Push changes... next to the policy in question.

NOTE  If you click Save Only (legacy UI) or Save and Deploy Later (New UI) instead of Save and Push Changes (legacy UI) or Save and Deploy Now (New UI) when creating or updating a policy, the changes will still be deployed at midnight in your time zone because policies are automatically deployed every 24 hours.

NOTE  You can then set up a Patch Management policy to ensure that you install the necessary patches on your devices. Refer to Create a Patch Management policy - Legacy UI.