Enforcing compliance deadlines for updates

• Gäller för:

  ✅ Windows 11, ✅ Windows 10

Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions. This article contains information on how to enforce compliance deadlines for clients that use Windows Update for Business.

Policies for compliance deadlines

Policies for Windows 11, version 22H2 and later

Policies for clients running Windows 11, version 22H2 and later

With Windows 11, version 22H2 and later, the following policies are available to manage compliance deadlines for updates:

Policy	Description
Specify deadline for automatic updates and restarts for quality update	This policy lets you specify the number of days before quality updates are installed on devices automatically, and a grace period, after which required restarts occur automatically. This policy includes an option to opt out of automatic restarts until the end of the grace period is reached.
Specify deadline for automatic updates and restarts for feature update	This policy lets you specify the number of days before feature updates are installed on devices automatically, and a grace period, after which required restarts occur automatically. This policy includes an option to opt out of automatic restarts until the end of the grace period is reached.

In MDM, these policies are available as separate settings:

• Update/ConfigureDeadlineForFeatureUpdates
• Update/ConfigureDeadlineForQualityUpdates
• Update/ConfigureDeadlineGracePeriod (for quality updates)
• Update/ConfigureDeadlineGracePeriodForFeatureUpdates
• Update/ConfigureDeadlineNoAutoRebootForQualityUpdates
• Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates

When Specify deadline for automatic updates and restarts for either quality updates or feature updates is set:

The deadline calculation for both quality and feature updates is based off the time the client's update scan initially discovered the update. Previously, the deadline was based off the release date of the update for quality updates and the reboot pending date for feature updates. The change for deadline calculation was made to improve the predictability of restart.

The grace period for both quality and feature updates starts its countdown from the time of a pending restart after the installation is complete. This grace period is especially helpful for users returning from vacation or the time away, preventing an immediate forced reboot when they come back.

The effective deadline is whichever is the later of the scan discovery time plus the specified deadline or the scan discovery time plus the grace period. As soon as installation is complete and the device reaches pending restart, users are able to schedule restarts before effective deadline and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. Once the effective deadline is reached, the device tries to restart regardless of active hours.

Note

• When these policies are used, user settings for notifications are also used on clients running Windows 11, version 22H2 and later.
• When Specify deadline for automatic updates and restarts for either quality updates or feature updates is used, updates will be downloaded and installed as soon as they are offered.
• When Specify deadline for automatic updates and restarts for either quality updates or feature updates is used, download, installation, and reboot settings stemming from the Configure Automatic Updates are ignored.
  • Starting with the December 10, 2024 update for Windows 11, version 22H2 and later clients, Configure Automatic Updates are respected before the deadline occurs, and ignored once the deadline passes. For instance, if you set up Configure Automatic Updates to schedule update installation at 3:00 AM, you also set up a commercial deadline, then the download and install occurs at the scheduled time from Configure Automatic Updates so long as it's not past the deadline.

Policies for Windows 10, version 22H2

Policies for clients running Windows 10, version 22H2

With Windows 10, version 22H2, the following policies are available to manage compliance deadlines for updates:

Policy	Description
Specify deadlines for automatic updates and restarts	This policy includes a deadline and a configurable grace period with the option to opt out of automatic restarts until the deadline is reached. This is the recommended policy for Windows 10, version 1709 and later.

In MDM, these policies are available as separate settings:

• Update/ConfigureDeadlineForFeatureUpdates
• Update/ConfigureDeadlineForQualityUpdates
• Update/ConfigureDeadlineGracePeriod
• Update/ConfigureDeadlineGracePeriodForFeatureUpdates
• Update/ConfigureDeadlineNoAutoReboot

Suggested configurations for clients running Windows 10, version 22H2

Policy	Location	Quality update deadline in days	Feature update deadline in days	Grace period in days
Specify deadlines for automatic updates and restarts	GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts	2	2	3

When Specify deadlines for automatic updates and restarts is set (Windows 10, version 1709 and later):

For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device tries to update outside of active hours. Once the effective deadline is reached, the device tries to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.)

For quality updates, the deadline countdown starts from the time the update is offered (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device tries to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in the background). When the pending restart time is reached, the device notifies the user and tries to update outside of active hours. Once the effective deadline is reached, the device tries to restart during active hours.

Note

• When using the newer policy that contains Feature updates grace period in days, this setting is ignored by clients that are running Windows 11 version 21H2 and earlier. The grace period for quality updates is used for both quality updates and feature updates for these clients.
• When Specify deadlines for automatic updates and restarts is used, download, installation, and reboot settings stemming from the Configure Automatic Updates are ignored.

User experience for restart notifications with compliance deadlines

These deadline policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline passes. At that point, the device automatically schedules a restart regardless of active hours.

These notifications are what the user sees depending on the settings you choose, and what operating system version their device is running. Generally, the user notifications become more noticeable as the deadline approaches. The experience described is the default and assumes there's ample time for notifications before the effective deadline occurs. The description doesn't account for changes to the Display options for update notifications policy (Update/NoUpdateNotificationsDuringActiveHours) or other settings that would significantly change the experience.

Windows 11, version 23H2 and later

The following notifications are what the user sees on Windows 11, version 23H2 and later, depending on the settings chosen by the user and the IT administrator:

When Specify deadlines for automatic updates and restarts is set:

While restart is pending, before the deadline occurs, users receive a toast notification in the corner of their screen. The notification includes the deadline date, and options to either restart now, pick a time to restart, or restart tonight once active hours ends.

• If the user set the option Settings > Windows Update > Advanced options > Notify me when a restart is required to finish updating to On, they immediately receive the toast notification when the device enters a restart pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare.

• If the user set Notify me when a restart is required to finish updating to Off (default), they receive a toast notification that a restart is required 24 hours after the device enters a restart pending state for updates.

  

Depending on settings both users and admins configure, toast notification may occur occasionally before the day of the deadline to remind the user of the update. During this time, if they're allowed, automatic restarts might be scheduled after active hours.

• If an automatic restart is scheduled or the user scheduled the restart, and the user is signed in at that time, they receive a notification 15 minutes before the scheduled time.

  

As the device approaches the deadline time, a notification displays in the middle of the screen that contains the deadline time and options to restart now or acknowledge the notification.

15 minutes before the deadline, a notification displays in the middle of the screen notifying the user that a restart is going to occur. Users can either confirm the restart, reschedule, or choose to restart now.

In cases where a user scheduled restart fails but there's still more time before the deadline is reached, the user receives a notification to either restart now or to reschedule the restart.

In cases where the deadline has passed, the user receives a notification that a restart is required. The only options a user can select is to restart now or confirm. The user has 15 minutes to select restart before the device is forced to restart.

In cases where the deadline has passed and the restart failed, the user receives a notification that a restart is required. If the device is plugged in, it will attempt to restart every 5 minutes until the device successfully restarts. The user has 5 minutes to restart before the device is forced to restart.

Windows 11, version 22H2 and earlier

The following notifications are what the user sees on Windows 11, version 22H2 and earlier, depending on the settings chosen by the user and the IT administrator:

When Specify deadlines for automatic updates and restarts is set:

For the first few days, the user receives a toast notification in the corner of their screen. The notification includes the deadline date, and options to either restart now, pick a time to restart, or restart tonight once active hours ends.

• If the device is Windows 11, version 22H2 and the user set the option Settings > Windows Update > Advanced options > Notify me when a restart is required to finish updating to On, they immediately receive the toast notification when the device enters a restart pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare.

• If the device is Windows 11, version 22H2 and the user set Notify me when a restart is required to finish updating to Off (default), they receive a toast notification that a restart is required 24 hours after the device enters a reboot pending state for updates.

  

Depending on settings both users and admins configure, notifications display in the middle of the screen as the deadline gets closer.

• If there's still time for an automatic restart to occur after active hours, the dialog displays an option to let the device restart later along with options to restart now or to pick a time to schedule a restart.

• If there's not time for an automatic restart to occur after active hours, the dialog displays options to pick a time to schedule a restart, restart now, or remind the user later.

During this time before the deadline is reached, if they're allowed, automatic restarts might be scheduled after active hours. If an automatic restart is scheduled or the user scheduled the restart, and the user is signed in at that time, they receive a notification 15 minutes before the scheduled time.

The day of the deadline, a notification displays that contains the deadline time and options to restart now or acknowledge the notification.

If the restart is still pending once the deadline passes, a notification displays in the middle of the screen notifying the user that a restart is going to occur. Users can either confirm the restart or choose to restart now.

In cases where a user scheduled restart fails but there's still more time before the deadline is reached, the user receives a notification to either restart now or to reschedule the restart.

In cases where the deadline has passed and the restart failed, the user receives a notification that a restart is required. The user has 5 minutes to restart before the device is forced to restart.

Windows 10, version 22H2

These notifications are what the user sees on Windows 10, depending on the settings chosen by the user and the IT administrator:

When Specify deadlines for automatic updates and restarts is set (For Windows 10, version 1709 and later):

• While restart is pending, before the deadline occurs:

  • For the first few days, the user receives a toast notification

  • After this period, the user receives this dialog:

    

  • If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user receives this notification that the restart is about to occur:

    

• If the restart is still pending after the deadline passes:

  • Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching:

    

  • Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification: