Introduction
One of the biggest issues that face Windows 10 users is controlling when Windows Updates are applied, with many horror stories about Windows deciding to just go ahead and do updates at the most awkward moment.
We have already covered Pausing windows updates in another Help article, so it's worth reading that to understand the reasons why you should be doing regular Updates, but of course the more control you can have over the process the better!
As we note in that article, PC's supplied by Broadcast Radio always come with Windows 10 Pro on, and it's already configured to not install Windows Updates ("WU") without your approval, so the rest of this article is primarily for users who are using Windows Active Directory ("AD")
If your computers are configured to be part of an AD, then you already have total control over when WU are installed.
Configuring the Windows Update settings in Active Directory
Deploying Active Directory ("AD")
Deploying and configuring Active Directory itself is a totally separate matter, so this article assumes you have a correctly configured AD already. There are almost as many articles out there covering this topic as there are "best ways of doing it", so we'll leave that for you to research!
Organizational Units ("OU")
However, our first recommendation is to create a dedicated "Organizational Unit" to put all your broadcast critical PC's into. This should be entirely to one side of the rest of your structure, so that any existing Policies that are needed for office devices are kept separate from the broadcast systems. For example, you might have a policy that tells all the PC's to turn the screens off after 10 minutes and fully power off after 30 minutes, and that would be very bad for your broadcast critical PC's.
At Broadcast Radio our office site AD is split right at the very top into 2 site specific OU's - Hessle Office and Hessle Broadcast. Then all our other OU's exist under there - for example under "Hessle Office" we have different Sub OU's for different departments (e.g Commercial, Technical, Development etc.) to allow us to focus policies where needed.
Under "Hessle Broadcast" we have different sub OUs for Live, Testing, Development, and Facilities (e.g. servers etc.) - again so we can deploy more granular control over where policies are applied.
Group Policy ("GP")
Once you have your OU's created, launch the Group Policy Management tool and find the OU you have moved all your broadcast critical PC's into and right click on it and choose Create a GPO in this domain and Link it here. Give the new Group Policy a suitable name like Manual Update Installation Policy and click OK.
The new GP should show in the tree view, right click on it a choose Edit
This will open the "Group Policy Management Editor". Under Computer Configuration, expand the treeview nodes and work down to Policies>Administrative Templates>Windows Components section and then scroll down to Windows Update and select it.
Then on the right hand side, double click on Configure Automatic Updates
This will open the "Configure Automatic Updates" window. In this window, select Enabled and in the drop down choose option 3 - Auto download and notify for install
We have found that this option gives the best balance as it will ensure that the updates are already downloaded onto your PC's, but windows will NOT try to install them until you open Windows Update and approve them. This means you can then plan a maintenance window and do the updates at a controlled time.
Click OK and then close the GP management editor window.
Checking the new policy has applied
Depending on your infratructure, it may take anywhere up to 15 or 30 minutes for the new settings to apply to your PC's, and if you have changed the OU that the PC's are in, then the best thing is to actually reboot them so they pick up their new place in the organizational hierarchy.
If you want to force the new polices to take effect, run an elevated command prompt and run this command to force an immediate application.
gpupdate.exe /force
As a note, if you have multiple domain controllers ("DCs") (recommended) then you may still have to wait up to 15 minutes before all DCs have the new policies.
Once the policies have applied, if you go into Windows Update you should see a new caption at the top that reads "* Some settings are managed by your organisation" and the button at the bottom will now change to "Install now" so you can manually set the process going.
Attachments (4)
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article