Create a Windows Patch Policy

JumpCloud’s automated patch management helps you monitor which version and release your Windows, macOS, or Linux devices are currently using, and remotely schedule and install updates. You can create an OS patch management policy to control which devices will have the policy applied and when it will be applied. There are four Windows out-of-the-box patch policies that are ready to use. These policies are preconfigured with sane defaults. You can save time by using JumpCloud’s default patch policies and policy groups that are preconfigured and ready to use. See Create Default Patch Policies and Policy Groups below.

JumpCloud also provides a universal browser patch policy that keeps Google Chrome up to date for macOS, Windows, and Linux. See Create a Universal Browser Patch Policy.

Contact your Account Manager if you’re interested in adding OS and browser patch management to your package or to learn more about Patch Management. Pricing for patch management is located at https://jumpcloud.com/pricing.

This article discusses the Advanced Windows Updates policy. For the Automatic MacOS Updates policy, see Create a MacOS Patch Policy. For the Linux Patch Management Policy, see Create a Linux Patch Policy.

Considerations

  • A restart of the device is required for the policy to take effect.

Create Default Patch Policies and Policy Groups

If your organization has not yet configured any macOS, Windows, or Linux patch management policies or policy groups, you can save time by loading a set of default policies and policy groups. These patch policies and groups can save you time by enforcing security patches on a large number of managed devices.

A policy group helps you quickly and efficiently roll out preconfigured policies using deployment rings. Deployment rings are configured with sane defaults. The deployment ring names match these policy group names, and control how and when an update is applied:

  • Vanguard – Deploy automated upgrades inside your IT Department.
  • Early Adoption – Deploy automated upgrades to early adopters outside of IT.
  • General Adoption – Deploy automated upgrades to general users in your company.
  • Late Adoption – Deploy automated upgrades to remaining users in your company.
A diagram showing the deployments as sections of an angle, with the categories becoming broader as you move out from the center of the angle. The image starts with Vanguard adoption, then moves through Early, General, and Late Adoption.

To create a default Windows patch policies and policy groups:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login
  2. Go to DEVICE MANAGEMENT > Policy Management.
  3. Select Patch Management, then select the OS tab.
  4. If you haven’t yet configured a patch policy or patch policy group, click Load Default Policies & Policy Groups to create four out-of-the-box default policy groups. Each policy group contains three preconfigured deployment ring policies that are automatically bound to the group.
  1. Review the preconfigured settings for the Windows default policies:
Policy Name Default Setting
Automatically Install minor updates Checked.
Automatically Install Updates Checked.
Automatic Updates Behavior Download the updates automatically and notify when they are ready to be installed.
Specify the day(s) of the week to install updates Every day.
Specify the time of day to install updates 0:00.
Install updates frequency Every week of every month.
Automatic Updates detection frequency Checked.
Hours 1
Automatically install updates during automatic maintenance Checked.
Enable Windows Update Power Management to automatically wake up the system to install scheduled update Checked. 
Allow non-administrators to receive update notifications Checked.
Display options for update notifications Checked.
Display options for update notifications  Use the Default Windows Update notifications. 

Note:

The Windows OS Patch Management policy modifies the Windows Updates for Business group policy settings on devices and allows administrators to keep Windows devices up to date with the latest security patches available to devices.

Devices will receive updates based on the configured settings and the updates available to them through the Windows Updates for Business release channel. Microsoft determines what updates are released through which release channels based on the severity of the update and system impact.  

  1. Review the Deferral and Deadline Settings and the Update Enforcement & Restart Settings in the Admin Portal for the four default Windows OS Patch Management policies below:
Deployment Ring Policy Quality & Feature Update Deferrals Quality & Feature Update Install Grace Period Quality & Feature Update commit and Restart Grace Period
Windows Vanguard 0 Days 1 Day 2 Days
Windows Early Adopter 7 Days 5 Days 2 Days
Windows General Adoption 15 Days 8 Days 2 Days
Windows Late Adoption 30 days 8 Days 2 Days
  • Quality & Feature Update Deferrals – Specify how many days to defer the availability of future quality and feature OS updates.
  • Quality & Feature Update Install Grace Period – The number of days before available quality and feature updates are installed on devices automatically.
  • Quality & Feature Update Commit and Restart Grace Period – Once an update has been installed and is pending commitment, specify the grace period for when the update restarts occur automatically to commit the update. 
  1. (Optional) Review your default policy groups and policies. The policies are automatically assigned to the appropriate group.

    For example, the Vanguard Ring Policy Group automatically contains these three preconfigured deployment ring policies:
    • Linux (Ubuntu) Vanguard Ring
    • MacOS Vanguard Ring
    • Windows Vanguard Ring

Tip:

If you created a default policy group and later try to add a policy with the same name, an error does not appear. Instead, the existing default policy will be used.

  1. (Optional) Select the Devices tab. Select one or more devices where you’ll apply this policy.
  2. Click save.
  3. After the policy runs, you can view detailed results for a specific device:
    1. Go to DEVICE MANAGEMENT > Devices.
    2. Select the Devices tab, then select the device.
    3. Select Policy Results, then click view to see more details. An Exit Code of 0 means the policy ran successfully.
  4. To delete a patch policy, select the checkbox next to the policy and click delete. The policy is removed from the OS Patch Management list.

Create a Windows Patch Management Policy

Creating the Policy

To create a Windows Patch Management Policy, you must first create a new policy, then configure settings of the policy.

To create the Advanced Windows Updates policy:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login
  2. Go to DEVICE MANAGEMENT > Policy Management.
  3. Select Patch Management, then select the OS tab. Only OS patch policies appear in this tab.
  4. If this is the first time you’ve accessed the OS tab, click Load Default Policies & Policy Groups. See Create Default Patch Policies and Policy Groups above.
  5. Click ( + ) to add a new policy, then choose Windows.

Tip:

You can also use default patch policies to quickly create a policy. See Creating a Default Windows Patch Management Policy above.

  1. (Optional) On the New Policy panel, enter a new name for the policy or keep the default. Policy names must be unique.
  2. Next, configure the various settings of the policy.

Tip:

You can save the policy at this point, but it will not take effect until you apply it to a device or device group.

Configuring Update Settings

To configure the Update Settings for the Advanced Windows Updates policy:

  1. Select Automatically install minor updates to have Windows automatically install all minor updates that do not require a reboot.
  2. Select Automatically Install Updates to automatically install updates based on these fields:
    • Automatic Updates Behavior – Choose the behavior that controls when new updates are ready to install.
    • Specify The Day(s) Of The Week To Install Updates – Choose when to install updates. This field is applicable only when the Automatic Updates Behavior field is set to Automatically download updates and install them on the schedule specified below.
    • Specify the Time Of Day To Install Updates – Choose what time the updates will be installed. This field is applicable only when the Automatic Updates field is set to Automatically download updates and install them on the schedule specified below.
    • Install Updates Frequency – Choose the frequency of when updates are installed. This field is applicable only when the Automatic Updates field is set to Automatically download updates and install them on the schedule specified below. The options are:
      • Every week of every month
      • First week of every month
      • Second week of every month
      • Third week of every month
      • Fourth week of every month
  3. Select Automatic Updates detection frequency to set the number of hours the device will wait between checks for Windows updates.
    • Hours – Choose the number of hours.
  4. Select Automatically install updates during automatic maintenance to install updates during times when the PC is not in use. This preempts any schedule set in previous fields.
  5. Select Include updates for other Microsoft products to get updates for other Microsoft products (in addition to Windows) when automatically updating.
  6. Select Do not include drivers with Windows Update so that drivers are not automatically downloaded with the Windows Updates. 
  7. Select Remove access to “Pause Updates” feature to prevent your users from pausing automatic updates.
  8. Select Remove access to use all Windows Update features to prevent your users from manually checking for new Windows Updates.
  9. Select Enable Windows Update Power Management to automatically wake up the system to install scheduled updates to allow Windows Update to automatically wake the device from sleep mode to install updates. This occurs both when the updates are pushed to the system and if an install deadline passes while the device is in sleep mode. If the system is on battery power when Windows Update wakes it, it will not install updates and the system will automatically return to sleep in two minutes.
  10. Select Disable Feature Upgrades via Windows Update to prevent the Windows Update Service from installing feature upgrades. You can install upgrades manually if necessary.
  11. Select Disable Safeguards for Feature Updates to specify whether device safeguard holds can block feature updates from downloading. 
  12. Select Manage preview builds to control preview builds from downloading to the device.
    • Set The Behavior For Receiving Preview Builds – Choose whether users can disable or enable preview builds.
  13. Select Select the target to specify a Feature Update version to be requested in subsequent scans.
    • Which Windows Product Version Would You Like To Receive Feature Updates For – Specify the Windows product (for example, Windows 10) to request in subsequent scans. For a list of available products and versions, see Supported versions of Windows client.
    • Target Version for Feature Updates – Specify the Windows version (for example, 22H2) to request in subsequent scans.

Configuring Notifications Settings

To configure the Notifications Settings of the policy:

  1. Select Configure auto-restart required notification for updates to specify the method by which the auto-restart required notification is dismissed. If selected, the Specify Method To Dismiss Auto-Restart Notification dropdown menu displays with the following options:
    • Auto – The notification is automatically dismissed after 25 seconds. This is the default option.
    • User Action – The user has to manually dismiss the notification. 
  2. Select Configure auto-restart reminder notification for updates to specify the amount of time prior to a scheduled restart to notify your users. If selected, the Specify Reminder Period for Auto-Restart In Minutes dropdown menu displays with the following options:
    • 15
    • 30
    • 60
    • 120
    • 240
  3. Select Configure auto-restart warning notification schedule for updates to specify when notifications are displayed to warn users that there is a scheduled restart for update installation. Users are not able to postpone the scheduled restart once the deadline has been reached and the restart is automatically executed. Two fields appear when selected:
    • Specify The Period for Auto-Restart Reminder Hours – Specifies the number of hours prior to a scheduled restart to warn the user. Used in conjunction with the following field.
    • Specify The Period For Auto-Restart Warning Minutes – Specifies the number of minutes prior to a scheduled restart to warn the user. Used in conjunction with the previous field. 
  4. Select Allow non-administrators to receive update notifications to control whether non-administrative users will receive update notifications based on the Automatic Updates Behavior policy setting, described in the Update Settings section above. 
  5. Select Display options for update notifications to specify which Windows Update notifications your users will see. If selected, the Select Update Notification Option drop-down displays with the following options:
    • Use the default Windows Update notifications
    • Turn off all notifications, excluding restart warnings
    • Turn off all notifications, including restart warnings

Configuring Deferral and Deadline Settings

To configure the Deferral and Deadline Settings of the policy of the policy:

  1. Select Defer Updates (Windows 10 and Server 2016 or higher) to prevent updates from automatically installing for up to 1 month after release. This does not affect definition updates. Supported by Windows 10 and Server 2016 and later. If selected, two additional fields appear:
  • Number Of Days To Defer – Specifies the number of days to prevent updates from automatically installing, up to 30 days.
  • Pause Update Installation Starting On This Date (Yyyy-Mm-Dd) – Pauses update installation beginning on the specified date, for up to 35 days (or until cleared). To resume normal update installation, leave this field blank. 
  1. Select Defer feature upgrades to defer automatic feature upgrade installation by the specified number of days, up to 8months. Only applicable if upgrade deferrals are enabled. If selected, three additional fields appear:
    • Number Of Days To Defer Feature Upgrades – Specifies the number of days to defer upgrades, up to 8 months. 
    • Upgrade Channel – Specifies the upgrade channel. A telemetry level of 2 is required for Preview builds (and your domain must be registered with the Windows Insider Program). For all other feature upgrade deferrals, telemetry must be set to at least 1. Note that Windows 10 1703 only supports Current Branch and Current Branch for Business and 1709 supports all 5 options.
    • Pause Update Installation Starting On This Date (Yyyy-Mm-Dd) – Pauses update installation beginning on the specified date, for up to 35 days (or until cleared). To resume normal update installation, leave this field blank.
  2. Configure the Update Enforcement & Restart Settings:

Configuring the Update Enforcement & Restart Settings

To configure the Update Enforcement & Restart Settings of the policy:

  1. Select Specify deadline for restart to set a deadline for the automatic restart necessary to complete the update.
    • Specify The Deadline For The Automatic Restart (In Days) – Enter the number of days for the automatic restart to complete the update. The update will occur outside of active hours. If the No auto-restart with logged on users for scheduled automatic updates field and the Always automatically restart at a scheduled time field are both selected, then this field will have no effect.
  2. Select No auto-restart with logged on users for scheduled automatic updates to stop an automatic restart after an update was automatically installed while users are logged in. Instead, users will be notified that they should reboot for the update to take effect. This only applies when Automatic Updates are selected in the Update Settings section. 
  3. Select Turn off auto-restart for updates during active hours to control if a device will automatically restart after downloading updates during active hours.
    • Active Hours Start – Choose the beginning of active hours.
    • Active Hours End – Choose the end of active hours.
  4. Select Specify active hours range for auto-restarts to determine the most hours in a day that a user can set as active hours. If you disable or do not configure this policy, the value is set to 10 hours.
    • Max Active Hours – Choose the maximum number of active hours allowed in one day.
  5. Select Always automatically restart at the scheduled time to force a restart of a user’s device after a specified time after the initial Windows Update installation.
    • Number of Minutes Between Update And Forced Restart – Enter the number of minutes. Valid values are 15-180 minutes. If the No auto-restart with logged on users for scheduled automatic updates installations field is selected, then this field will have no effect.
  6. Select Specify deadlines for automatic updates and restarts to specify the number of days before quality and feature updates are automatically installed on your devices, and also specify a grace period after which required restarts occur automatically. ​​This policy overrides the following settings: Specify deadline before auto-restart for update installation, auto-restart notification settings, always automatically restart at the scheduled time, Automatically Install Updates.
    • Quality update installation grace period – Specifies the number of days, from 0 to 30, that a user has before feature updates are installed on their devices automatically. Devices must restart after installation to upgrade to the latest version. 
    • Quality update commit and restart grace period – Specifies a minimum number of days, from 0 to 7, after the installation grace period that a device restart will occur automatically to trigger the quality update installation. 
    • Feature update installation grace period – Specifies the number of days a user has, from 0 to 30, before feature updates are installed on their devices automatically. Devices must restart after installation to upgrade to the latest version. 
    • Feature update commit and restart grace period – Specifies a minimum number of days, from 0 to 7, after the installation grace period that a restart will occur automatically to trigger the feature update installation. 

Applying the Policy to a Device

To apply the patch policy to a device:

  1. In the policy, select the Device Groups tab. Select one or more device groups where you’ll apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
  2. Select the Devices tab. Select one or more devices where you’ll apply this policy.
  3. Click save, then click save again if prompted. The configured policy appears in the OS tab.

Note:

The JumpCloud Agent will download the patch policy automatically, but there may be a delay between implementation and when the policy takes effect on the local device.

Warning:

A restart of the device is required for the policy to take effect.

Force the Patch Policy to Apply on a Device

To force the policy to take effect as soon as possible, you can manually run a Group Policy Update on the device:

  1. Wait at least 60 seconds for the JumpCloud Agent to download the policy updates to the local devices.
  2. Open the Windows Command Prompt on the local device and run the gpupdate /force command.
  3. Restart the device.

Alert Behavior of OS Updates

The alerts for updates using the JumpCloud Patch Management policies are delivered to users via the default system notifications on Windows. This aligns with Microsoft's recommendations and leverages Windows Updates’ built-in intelligence for prompting users and scheduling restarts. 

Specify a Target Feature Version

The default Patch Management policies configure update settings to get Windows devices fully up to date with any feature and make quality updates available to them. Admins can target a specific Windows feature version to prevent devices from upgrading to the latest available feature update and stay at a specific feature version. 

To specify a specific Windows feature version: 

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login
  2. Go to DEVICE MANAGEMENT > Policy Management.
  3. Select Patch Management, then select the OS tab.
  4. Navigate to Update Settings.
  5. Select Select the target.
  6. Fill in the fields shown below:

Available values for the Windows product version include:

  • Windows 11
  • Windows 10

Available values for the Target Version at this time are all applicable to Windows 10:

  • 21H2
  • 22H2

Important:
  • This setting cannot be used to roll back a device to a previous feature version. If you enter an invalid value, devices will stay at their current version until you correct the values to a supported product and version.
  • If the Target Version defined has reached End of Support by Microsoft, devices will receive no further updates.

Remove a Patch Policy

To remove a Patch Policy:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login
  2. Go to DEVICE MANAGEMENT > Policy Management.
  3. Select Patch Management, then select the OS tab.
  4. Select the policies that you wish to remove.
  5. Click Delete.
  6. Click continue.

The selected policies are removed. 

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case