Microsoft: Use deadline policies and a ‘cloud cadence mindset’ for faster patching

Microsoft last week said the most important Windows policies enterprises can set to speed up Windows servicing are those configuring deadlines.

“Setting Compliance Deadlines is the most important policy that every enterprise who cares about achieving reliable update velocity should set,” the Redmond, Wash. company said in the recently-published “Optimizing Windows 10 update adoption” document. (The document is included in this download, “Windows 10 Update Baseline,” as a separate PDF.)

By setting deadline policies, IT admins determine how quickly the update components of Windows should complete the task. According to Microsoft, “These Windows components adapt their behavioral heuristics based on these deadlines in order to attempt to meet the stated deadline.”

IT admins, then, have ultimate control over how long a user can dawdle over or delay an update, but the exact moment when the update is installed is left to the black box of Windows and its inherent intelligence.

The policies — there are currently four — were introduced with Windows 10 1903, the feature upgrade launched in May 2019. Later that summer, they were added to Windows 10 1709 through Windows 10 1903 with those versions’ August security updates. (This means that all currently supported versions of Windows 10, absent the first two LTSC/LTSB SKUs, support the deadline policies.)

The policies begin a countdown to the update’s installation deadline from the day the update is published plus any deferral IT may have set. Thus, if the deferral for quality updates (Microsoft’s term for the monthly updates issued on Patch Tuesday, the second Tuesday of each month) were set to 7 days and the deadline to 3 days (Microsoft’s recommendation, by the way), Windows will try to wrap up the update’s installation within 10 days of its release.

Microsoft’s recommended deadline for feature updates — the twice-annual (so far) refreshes that are supposed to include some new features and functions — is a slightly longer 7 days.

Users may choose from several options when notifications pop up regarding quality or feature updates, including asking for a later reminder, rescheduling the install at a later time and/or date, or immediately restarting. Windows decides which of those options to show, “depending on how close the deadline is.” In other words, with a looming deadline — if it’s today, for example — the only option may be to restart.

Here, as elsewhere in setting update policies, Microsoft advises customers to keep their mitts off, essentially telling them that Windows knows best. “We recommend that you do NOT set any notification policies, as they are automatically configured with appropriate defaults,” the white paper states.

Microsoft also urged IT administrators to set grace periods for update deadlines. Grace periods, expressed in days, are the amount of time Windows is given to “find a minimally interruptive automatic restart time before the restart is enforced.” The key there is the phrase “minimally interruptive.” Sans a grace period Windows will simply enforce a restart at the deadline, no matter what’s happening on the device.

One possible scenario: The user returns to work after being absent several days, a stretch during which the device was off and the deadline came and went. In that case, minus a grace period, Windows might force an immediate restart as soon as the user logs in at return.

Not cool.

(Microsoft’s recommended grace period? A mere two days.)

Once both the deadline and grace have expired, Windows applies the updates and a restart occurs, even if it’s during work hours (as expressed by Windows 10’s Active Hours setting).

The “Optimizing Windows 10 update adoption” document includes a whole host of other Microsoft advice on accelerating Windows maintenance, ranging from how to handle seldomly-used PCs (which because they’re turned on infrequently, can go for weeks or months without being updated) to how IT can monitor update compliance. Consider it a must-get.

It’s also part of a push by Microsoft to urge commercial customers to adopt cloud-based update management tools. a push that has gotten more pronounced with the announcement of Windows 11 — the successor to the once forever Windows 10 — and then the introduction of Windows 365.

Gabe Frost, a group program manager who leads the commercial Windows-as-a-Service engineering team, used the phrase “cloud cadence mindset” to describe a faster patching philosophy. Not surprisingly, that model requires customers shift from on-premises patching platforms — notably Windows Server Update Services (WSUS) — to one reliant on Redmond’s cloud-based tools, particularly Intune and Windows Update for Business (WUfB).

Frost cited data he said was gleaned from “the many tens-of-millions of devices that are sending telemetry” to claim that changing to a cloud cadence mindset proved able to patch significantly more of an organization’s devices at both the 14- and 28-day marks after an update’s release.

While that may very well be true, it’s also in Microsoft’s interest to trumpet cloud-based tools because unlike on-premises alternatives, they are licensed through subscription plans — notably Microsoft 365 — that the company prefers for their regular revenue.

The Windows 10 Update Baseline can be downloaded from Microsoft’s website, here.