GPO - Windows Update - Always installs immediately regardless of setting

Question

GPO - Windows Update - Always installs immediately regardless of setting

Howard Gyton 101

In Windows 11 23H2, and Windows 11 24H2, we have a GPO configured to download updates automatically from our WSUS server, but not to instal, only to notify. However it always installs, no matter what configuration I have tried. The same behaviour is observed with using Windows Update instead of WSUS, so I assuming this is either a change in behaviour in Windows 11, or some option I have configured which is overriding the GPO somehow.

Windows computers are activated with Enterprise licenses.

Below are the settings I currently have configured from the Windows Update option:

Windows Components/Windows Update/Manage end user experience


Policy	Setting	Comment
Allow updates to be downloaded automatically over metered connections	Disabled
Configure Automatic Updates	Enabled
Configure automatic updating:7 - Auto Download, Notify to install, Notify to Restart Configure automatic updating: 7 - Auto Download, Notify to install, Notify to Restart The following settings are only required and applicable if 4 is selected. Install during automatic maintenance Disabled Scheduled install day: 0 - Every day Scheduled install time: 03:00 If you have selected “4 – Auto download and schedule the install” for your scheduled install day and specified a schedule, you also have the option to limit updating to a weekly, bi-weekly or monthly occurrence, using the options below: Every week Enabled First week of the month Disabled Second week of the month Disabled Third week of the month Disabled Fourth week of the month Disabled Install updates for other Microsoft products Disabled
Policy	Setting	Comment
Display options for update notifications	Enabled
Specify the update notifications display options :0 (default) – Default OS Windows Update notifications Specify the update notifications display options : 0 (default) – Default OS Windows Update notifications Apply only during active hours Disabled
Policy	Setting	Comment
Remove access to "Pause updates" feature	Enabled
Remove access to use all Windows Update features	Disabled
Specify deadline for automatic updates and restarts for quality update	Enabled
Deadline (days):2 Deadline (days): 2 Grace period (days): 1 Don't auto-restart until end of grace period Enabled
Policy	Setting	Comment
Turn off auto-restart for updates during active hours	Enabled
Active Hours Active Hours Start: 8 AM End: 6 PM

Windows Components/Windows Update/Manage updates offered from Windows Update


Policy	Setting	Comment
Disable safeguards for Feature Updates	Disabled
Do not include drivers with Windows Updates	Enabled
Enable optional updates	Disabled
Manage preview builds	Disabled
Select the target Feature Update version	Disabled
Select when Preview Builds and Feature Updates are received	Enabled
How many days after a Feature Update is released would you like to defer the
update before it is offered to the device?35 How many days after a Feature Update is released would you like to defer the update before it is offered to the device? 35 Pause Preview Builds or Feature Updates starting: 2025-04-01 (format yyyy-mm-dd example: 2016-10-30)
Policy	Setting	Comment
Select when Quality Updates are received	Enabled
After a quality update is released, defer receiving it for this many
days:0 After a quality update is released, defer receiving it for this many days: 0 Pause Quality Updates starting (format yyyy-mm-dd example: 2016-10-30)

I also noticed some odd inconsistences with the options to delay the installation of feature updates. It's description reads:

"Note, Quality Updates will still be offered even if Features Updates are paused."

But what I have observed is if you set a long another period to defer them, changing the "35" above to "365", then you don't even get quality updates offered. Change that to a lower number,, and the quality updates are eligible again.

I have a VM configured for these tests so I can very quickly snapshot back to the pre-patched state, and run them again. I always confirm checking the registry values by hand to double check correct application of any updated settings before checking for an update.

Any insight into this would be most welcome.

Howard Gyton 101 Reputation points

2025-04-03T12:37:55.3733333+00:00

I just re-read the description for option 7, and that only applies to server products, so I am going to re-test again with option 4. 4 = Automatically download updates and install them on the schedule specified below.

It states it applies to Windows 10 1809, and higher so I am hoping this includes Windows 11.
Howard Gyton 101 Reputation points

2025-04-03T12:46:50.3366667+00:00

So with option 4 set, it still runs the auto install. Interestingly it does honour the option below it, where you specify a scheduled day. I set it to Friday, and a check found nothing. I set it to 0, or every day, and it then found the following items.

So I have the option of controlling when it does the wrong thing, but even then to the day and it still doesn't honour the scheduled time which is 3AM, and its now 13:47 in the afternoon, but still cannot stop the auto install.
Howard Gyton 101 Reputation points

2025-04-03T14:43:30.3633333+00:00

If you have this option turned on, updates are installed immediately. It is currently 15:42. If you disable it, then it doesn't find any patches at all. It doesn't seem to control just the restarts, but also patch availability.

1 answer

Your answer

Howard Gyton 101 Reputation points

2025-04-03T12:37:55.3733333+00:00

I just re-read the description for option 7, and that only applies to server products, so I am going to re-test again with option 4. 4 = Automatically download updates and install them on the schedule specified below.

It states it applies to Windows 10 1809, and higher so I am hoping this includes Windows 11.
Howard Gyton 101 Reputation points

2025-04-03T12:46:50.3366667+00:00

So with option 4 set, it still runs the auto install. Interestingly it does honour the option below it, where you specify a scheduled day. I set it to Friday, and a check found nothing. I set it to 0, or every day, and it then found the following items.

So I have the option of controlling when it does the wrong thing, but even then to the day and it still doesn't honour the scheduled time which is 3AM, and its now 13:47 in the afternoon, but still cannot stop the auto install.
Howard Gyton 101 Reputation points

2025-04-03T14:43:30.3633333+00:00

If you have this option turned on, updates are installed immediately. It is currently 15:42. If you disable it, then it doesn't find any patches at all. It doesn't seem to control just the restarts, but also patch availability.

Answer 1

After running another test, this time with option 2, to notify for download then auto install, I then just left it. Sometime in the last four hours I have a notification in the tool tray:

User's image Clicking on this I then see the following:

User's image

So it appears that going into this window, and manually pressing the "Check for updates" button overrides whatever group policy has configured, and I never knew that!!

I have some further tests to run, with other options, but now that I know this I may have it configured exactly how I want, but didn't realise I was breaking it by running the manual checks. I don't know if it's possible to control the cadence of these checks though. One page I saw said if the check interval is not configured, and even then it only works for WSUS, then it can be up to 22 hours, but for this test it was only 4 or so.

Share via

GPO - Windows Update - Always installs immediately regardless of setting

1 answer

Your answer