Create a Windows Patch Policy

Created by Karen Pearl Enrique, Modified on Wed, 26 Jul, 2023 at 7:09 PM by Karen Pearl Enrique

JumpCloud’s automated patch management helps you monitor which version and release your Windows, macOS, or Linux devices are currently using, and remotely schedule and install updates. You can create an OS patch management policy to control which devices will have the policy applied and when it will be applied. There are four Windows out-of-the-box patch policies that are ready to use. These policies are preconfigured with sane defaults. You can save time by using JumpCloud’s default patch policies and policy groups that are preconfigured and ready to use.

Considerations

A restart of the device is required for the policy to take effect.

Create Default Patch Policies and Policy Groups

If your organization has not yet configured any macOS, Windows, or Linux patch management policies or policy groups, you can save time by loading a set of default policies and policy groups. These patch policies and groups can save you time by enforcing security patches on a large number of managed devices.

A policy group helps you quickly and efficiently roll out preconfigured policies using deployment rings. Deployment rings are configured with sane defaults. The deployment ring names match these policy group names, and control how and when an update is applied:

Vanguard – Deploy automated upgrades inside your IT Department.
Early Adoption – Deploy automated upgrades to early adopters outside of IT.
General Adoption – Deploy automated upgrades to general users in your company.
Late Adoption – Deploy automated upgrades to remaining users in your company.

A diagram showing the deployments as sections of an angle, with the categories becoming broader as you move out from the center of the angle. The image starts with Vanguard adoption, then moves through Early, General, and Late Adoption.

Preconfigured settings for the Windows default settings:

Policy Name	Default Setting
Automatically Install minor updates	Checked.
Automatically Install Updates	Checked.
Automatic Updates Behavior	Download the updates automatically and notify when they are ready to be installed.
Specify the day(s) of the week to install updates	Every day.
Specify the time of day to install updates	0:00.
Install updates frequency	Every week of every month.
Automatic Updates detection frequency	Checked.
Hours	1
Automatically install updates during automatic maintenance	Checked.
Enable Windows Update Power Management to automatically wake up the system to install scheduled update	Checked.
Allow non-administrators to receive update notifications	Checked.
Display options for update notifications	Checked.
Display options for update notifications	Use the Default Windows Update notifications.

Note:

The Windows OS Patch Management policy modifies the Windows Updates for Business group policy settings on devices and allows administrators to keep Windows devices up to date with the latest security patches available to devices.

Devices will receive updates based on the configured settings and the updates available to them through the Windows Updates for Business release channel. Microsoft determines what updates are released through which release channels based on the severity of the update and system impact.

Deployment Ring Policy	Quality & Feature Update Deferrals	Quality & Feature Update Install Grace Period	Quality & Feature Update commit and Restart Grace Period
Windows Vanguard	0 Days	1 Day	2 Days
Windows Early Adopter	7 Days	5 Days	2 Days
Windows General Adoption	15 Days	8 Days	2 Days
Windows Late Adoption	30 days	8 Days	2 Days

Quality & Feature Update Deferrals – Specify how many days to defer the availability of future quality and feature OS updates.
Quality & Feature Update Install Grace Period – The number of days before available quality and feature updates are installed on devices automatically.
Quality & Feature Update Commit and Restart Grace Period – Once an update has been installed and is pending commitment, specify the grace period for when the update restarts occur automatically to commit the update.