Notitie
Voor toegang tot deze pagina is autorisatie vereist. U kunt proberen u aan te melden of de directory te wijzigen.
Voor toegang tot deze pagina is autorisatie vereist. U kunt proberen de mappen te wijzigen.
Deploying feature or quality updates for many organizations is only part of the equation for managing device ecosystems. The ability to enforce update compliance is the next important part. Windows Update client policies provide controls to manage deadlines for when devices should migrate to newer versions. This article contains information on how to enforce compliance deadlines for clients that use Windows Update client policies.
Policies for compliance deadlines
Policies for clients running Windows 11, version 22H2 and later
With Windows 11, version 22H2 and later, the following policies are available to manage compliance deadlines for updates:
| Policy | Description |
|---|---|
| Specify deadline for automatic updates and restarts for quality update | This policy lets you specify the number of days before quality updates are installed on devices automatically, and a grace period, after which required restarts occur automatically. This policy includes an option to opt out of automatic restarts until the end of the grace period is reached. |
| Specify deadline for automatic updates and restarts for feature update | This policy lets you specify the number of days before feature updates are installed on devices automatically, and a grace period, after which required restarts occur automatically. This policy includes an option to opt out of automatic restarts until the end of the grace period is reached. |
In MDM, these policies are available as separate settings:
- Update/ConfigureDeadlineForFeatureUpdates
- Update/ConfigureDeadlineForQualityUpdates
- Update/ConfigureDeadlineGracePeriod (for quality updates)
- Update/ConfigureDeadlineGracePeriodForFeatureUpdates
- Update/ConfigureDeadlineNoAutoRebootForQualityUpdates
- Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates
When the policy Specify deadline for automatic updates and restarts for either quality updates or feature updates is set:
The deadline calculation for both quality and feature updates is based off the time when the client's update scan initially discovered the update. Previously, the deadline was based off the release date of the update for quality updates and the reboot pending date for feature updates. The change for deadline calculation was made to improve the predictability of restart.
The grace period for both quality and feature updates starts its countdown from the time of a pending restart after the installation is complete. This grace period is especially helpful for users returning from vacation or the time away, preventing an immediate forced reboot when they come back.
The effective deadline is whichever is the later of the scan discovery time plus the specified deadline or the restart required time plus the grace period. As soon as installation is complete and the device reaches the pending restart state, users can schedule restarts before the effective deadline. Windows can still automatically get restarted outside of active hours if users choose not to schedule restarts. Once the effective deadline is reached, the device is forced to restart regardless of active hours.
Note
- When these policies are used, user settings for notifications are also used on clients running Windows 11, version 22H2 and later.
- When the policy Specify deadline for automatic updates and restarts for either quality updates or feature updates is used, updates will be downloaded and installed as soon as they are offered.
- When the policy Specify deadline for automatic updates and restarts for either quality updates or feature updates is used, download, installation, and reboot settings stemming from the Configure Automatic Updates are ignored.
- Starting with the December 10, 2024 update for Windows 11, version 22H2 and later clients, Configure Automatic Updates are respected before the deadline occurs, and ignored once the deadline passes. For instance, if you set up Configure Automatic Updates to schedule update installation at 3:00 AM, you also set up a commercial deadline, then the download and install occurs at the scheduled time from Configure Automatic Updates so long as it's not past the deadline.
User experience for restart notifications with compliance deadlines
These deadline policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline passes. At that point, the device automatically schedules a restart regardless of active hours.
These notifications the user sees depend on the settings you choose, and what operating system version their device is running. Generally, the user's notifications become more noticeable as the deadline approaches. The experience described is the default and assumes there's ample time for notifications before the effective deadline occurs. Whether or not there is ample time for notifications is determined by the number of days set for the deadline and grace period. If those values are configured to be fewer days than the default, then there is a greater risk that the user will not see proper update notifications. The description doesn't account for changes to the Display options for update notifications policy (Update/NoUpdateNotificationsDuringActiveHours) or other settings that would significantly change the experience and reduce the number of notifications shown.
The following notifications are what the user sees on Windows 11, version 23H2 and later, depending on the settings chosen by the user and the IT administrator:
When the policy Specify deadlines for automatic updates and restarts is set:
While a restart is pending and before the deadline occurs, users receive a toast notification in the corner of their screen. The notification includes the deadline date, and options to either restart now, pick a time to restart, or restart tonight once active hours ends.
If the user set the option Settings > Windows Update > Advanced options > Notify me when a restart is required to finish updating to On, they immediately receive the toast notification when the device enters a restart pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare.
If the user set Notify me when a restart is required to finish updating to Off (default), they receive a toast notification that a restart is required 24 hours after the device enters a restart pending state for updates.
Depending on the length of the deadline and grace period, and whether notifications are allowed during active hours, toast notifications may occur at regular intervals before the day of the deadline to remind the user of the update. During this time, if they're allowed, automatic restarts might be scheduled after active hours.
If the user scheduled the restart, and the user is signed in at that time, they receive a notification 15 minutes before the scheduled time.
15 minutes before the effective deadline, a notification displays in the middle of the screen notifying the user that a restart is going to occur. Users can either confirm the restart, reschedule, or choose to restart now.
In cases where a user scheduled restart fails but there's still more time before the effective deadline is reached, the user receives a notification to either restart now or to reschedule the restart.
In cases where the effective deadline has passed, the user receives a notification that a restart is required. The only options a user can select is to restart now or confirm. The user has 15 minutes to select restart before the device is forced to restart.
In cases where the effective deadline has passed and the restart failed, the user receives a notification that a restart is required. If the device is plugged in, it will attempt to restart every 5 minutes.
Policies for maintenance windows
Maintenance windows are a set of capabilities released with the January 2026 Windows non-security update for Windows 11, versions 24H2 and later. You can access them through Group Policy and mobile device management (MDM) solutions. Similar to the namesake maintenance window feature in Microsoft Configuration Manager, this set of policies native to Windows 11 helps ensure that:
- Update actions only take place during hours set as the maintenance window.
- Your devices remain available and performant at other times.
- Your devices remain updated and secure more consistently.
Note
All times set for maintenance windows adhere to the local time of the device.
What kind of devices benefit from maintenance windows?
Use maintenance windows to manage updates for:
- User-less devices (such as kiosks)
- Critical-use devices (such as medical and manufacturing equipment)
The maintenance window family of policies aims to deliver on two promises:
- The managed device doesn't take update actions outside of the maintenance window.
- The managed device takes high-priority actions to be updated inside the maintenance window.
Given these priorities, the feature doesn't offer extensive notification and scheduling controls for the user. For a device with regular users, consider the default Windows update experience without policies or the compliance deadline experience described earlier.
What kind of updates do maintenance windows manage?
Maintenance windows are a native Windows feature. This feature manages all updates brought to you through Windows Update. Eligible updates include standard monthly security updates, hotpatch updates, .NET updates, Microsoft Defender updates, driver and firmware updates, as well as yearly feature updates.
Maintenance window policies and settings
Choose which update actions automatically take place during a maintenance window.
Use the following controls to manage your maintenance window:
- MaintenanceWindowDurationHours
- MaintenanceWindowEnabled
- MaintenanceWindowMonthlyMonthBasedDayOfMonth
- MaintenanceWindowMonthlySchedule
- MaintenanceWindowMonthlyWeekBasedDayOfTheWeek
- MaintenanceWindowMonthlyWeekBasedOccurrenceInMonth
- MaintenanceWindowRepeatScheduleOption
- MaintenanceWindowStartDate
- MaintenanceWindowStartTime
- MaintenanceWindowUpdateActions
- Use the MaintenanceWindowUpdateActions policy to specify which sets of actions must start inside a maintenance window. Choices are Restart, Install and restart, or Download, install and restart. Actions that you don't select proceed according to defaults or other update policies. Nonselected actions can occur both inside and outside of the maintenance window.
- For example, you can choose Install and restart as the only actions to start in a maintenance window. Then the installation of updates and update-triggered restarts only ever start during your set maintenance window hours. However, downloads follow device defaults or other update policies and can occur outside of the maintenance window.
- Set MaintenanceWindowUpdateActions to Restart only. This way, the device downloads and installs updates before the start of the maintenance window. This process sets the device up for successfully restarting and applying the updates during the maintenance window.
- MaintenanceWindowWeeklyFriday
- MaintenanceWindowWeeklyMonday
- MaintenanceWindowWeeklySaturday
- MaintenanceWindowWeeklySunday
- MaintenanceWindowWeeklyThursday
- MaintenanceWindowWeeklyTuesday
- MaintenanceWindowWeeklyWednesday
For more information about the specific values and controls available for these policies, see Update Policy CSP.
When actions start in a maintenance window, they continue until completion. It's possible for actions to overflow to time outside of the maintenance window. However, the system minimizes this risk by not starting actions too close to the end of the current window. For example, if the maintenance window ends at 6 AM, the system only attempts to restart the device before 5:30 AM.
If a device managed through maintenance windows has users, they can still take action on updates. Maintenance windows only control the automatic scheduling of updates.
How to set up a one-time maintenance window
Use one-time maintenance windows for devices that don't have a regular offline schedule, such as medical equipment and factory floor devices. Set the following policies for a one-time, non-recurring maintenance window:
- Set MaintenanceWindowEnabled to 1.
- Set MaintenanceWindowUpdateActions to a desirable value.
- Set MaintenanceWindowStartDate to the start date of this window.
- Set MaintenanceWindowStartTime to the start time of this window.
- Set MaintenanceWindowDurationHours to a desirable value. You need this value to be as long as necessary for the device to complete all updates.
- Set MaintenanceWindowRepeatScheduleOption to 1, to signal a one-time, non-recurring window.
Keep your maintenance window values up to date to avoid unintended behavior.
- Future settings: You can set a one-time maintenance window as far out as 90 days in the future. Once the set maintenance window time passes and you don't update or erase the policy value, the device won't perform the governed update actions for another 90 days.
- Past settings: Check that the one-time maintenance window isn't set for more than 90 days in the past. The system considers these settings to be out of date. The system ignores the value and assumes that there's no maintenance window.
How to set up a repeating maintenance window
A repeating maintenance window works best for devices that have a fixed schedule of offline time, such as retail kiosks. Set the following policies for a repeating maintenance window:
- Set MaintenanceWindowEnabled to 1.
- Set MaintenanceWindowUpdateActions to a desirable value.
- Set MaintenanceWindowStartTime to the start time of this window.
- Set MaintenanceWindowDurationHours to a desirable value. You need this value to be as long as necessary for the device to complete all updates.
- Set MaintenanceWindowRepeatScheduleOption to 2 (repeat daily), 3 (repeat weekly), or 4 (repeat monthly).
Configure MaintenanceWindowRepeatScheduleOption as follows:
- To repeat every day: Set it to 2. No other fields need to be set.
- To repeat every week: Set it to 3. Then decide which days of the week to apply the maintenance window.
- Set MaintenanceWindowWeeklySunday to 1 if the window should repeat every Sunday. Set it to 0 if it shouldn’t apply on Sundays.
- Set corresponding values for other days of the week as well.
- To repeat every month: Set it to 4. Then configure how the maintenance window should repeat within a month:
- Repeat on the same day each month (for example, the 1st day of the month): Set MaintenanceWindowMonthlySchedule to 1. In this case, set MaintenanceWindowMonthlyMonthBasedDayOfMonth to specify the repeating day.
- Repeat on a specific day of a specific week (for example, the 2nd Tuesday each month): Set MaintenanceWindowMonthlySchedule to 2. Then set MaintenanceWindowMonthlyWeekBasedOccurrenceInMonth to specify the repeating week. Finally, set MaintenanceWindowMonthlyWeekBasedDayOfTheWeek to specify the repeating day of that week.
- Repeat on the last day of each month: Set MaintenanceWindowMonthlySchedule to 3.
There's no need to configure MaintenanceWindowStartDate. The configured repeating maintenance window takes effect as soon as you set the Group Policy or when the MDM solution refreshes the policy setting on the end point device.