diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index bbd3101f94..8edcf7dfe8 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -8564,6 +8564,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
Update/ConfigureDeadlineGracePeriod
+
+ Update/ConfigureDeadlineGracePeriodForFeatureUpdates +
Update/ConfigureDeadlineNoAutoReboot
@@ -8591,6 +8594,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
Update/DisableWUfBSafeguards
+
+ Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection +
Update/EngagedRestartDeadline
@@ -8687,6 +8693,18 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
Update/SetEDURestart
+
+ Update/SetPolicyDrivenUpdateSourceForDriverUpdates +
+
+ Update/SetPolicyDrivenUpdateSourceForFeatureUpdates +
+
+ Update/SetPolicyDrivenUpdateSourceForOtherUpdates +
+
+ Update/SetPolicyDrivenUpdateSourceForQualityUpdates +
Update/SetProxyBehaviorForUpdateDetection
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index c38caf5830..960936ef4d 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -72,6 +72,9 @@ manager: dansimp
Update/ConfigureDeadlineGracePeriod
+
+ Update/ConfigureDeadlineGracePeriodForFeatureUpdates +
Update/ConfigureDeadlineNoAutoReboot
@@ -99,6 +102,9 @@ manager: dansimp
Update/DisableWUfBSafeguards
+
+ Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection +
Update/EngagedRestartDeadline
@@ -195,6 +201,18 @@ manager: dansimp
Update/SetEDURestart
+
+ Update/SetPolicyDrivenUpdateSourceForDriverUpdates +
+
+ Update/SetPolicyDrivenUpdateSourceForFeatureUpdates +
+
+ Update/SetPolicyDrivenUpdateSourceForOtherUpdates +
+
+ Update/SetPolicyDrivenUpdateSourceForQualityUpdates +
Update/SetProxyBehaviorForUpdateDetection
@@ -1515,6 +1533,77 @@ Default value is 2.
+ +**Update/ConfigureDeadlineGracePeriodForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Allows IT admins to set different grace periods for both Quality Updates and Feature Updates. Specifically, when used with used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates). + +IT Admins will be able to specify a minimum number of days until restarts occur automatically for Featur Updates. Setting the grace period may extend the effective deadline set by the deadline policies specifically for Feature Updates. + + + + +Supports a numeric value from 0 - 7, which indicates the minimum number of days. + +Default value is 2. + + + + + + + + + +
+ **Update/ConfigureDeadlineNoAutoReboot** @@ -2250,6 +2339,80 @@ The following list shows the supported values:
+ +**Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +To ensure the highest levels of security, we recommended leveraging WSUS TLS certificate pinning on all devices. + +By default, certificate pinning for Windows Update client is not enforced. + + + +ADMX Info: +- GP Friendly name: *Allow user proxy to be used as a fallback if detection using system proxy fails* +- GP name: *Allow user proxy to be used as a fallback if detection using system proxy fails* +- GP path: *Windows Update\SpecifyintranetMicrosoftupdateserviceLocation* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) -Do not enforce certificate pinning +- 1 - Do not enforce certificate pinning + + + + +
+ **Update/EngagedRestartDeadline** @@ -4557,6 +4720,325 @@ The following list shows the supported values:
+ +**Update/SetPolicyDrivenUpdateSourceForDriverUpdates** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. + +If you configure this policy, please also configure the scan source policies for other update types: +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates + +>[!NOTE] +>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. + + + +ADMX Info: +- GP Friendly name: *Specify source service for specific classes of Windows Updates* +- GP name: *SetPolicyDrivenUpdateSourceForDriverUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0: (Default) Detect, download and deploy Driver Updates from Windows Update +- 1: Enabled, Detect, download and deploy Driver Updates from Windows Server Update Server (WSUS) + + + + +
+ + +**Update/SetPolicyDrivenUpdateSourceForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. + +If you configure this policy, please also configure the scan source policies for other update types: +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates + +>[!NOTE] +>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. + + + +ADMX Info: +- GP Friendly name: *Specify source service for specific classes of Windows Updates* +- GP name: *SetPolicyDrivenUpdateSourceForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0: (Default) Detect, download and deploy Driver Updates from Windows Update +- 1: Enabled, Detect, download and deploy Driver Updates from Windows Server Update Server (WSUS) + + + + +
+ + +**Update/SetPolicyDrivenUpdateSourceForOtherUpdates** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. + +If you configure this policy, please also configure the scan source policies for other update types: +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates + +>[!NOTE] +>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. + + + +ADMX Info: +- GP Friendly name: *Specify source service for specific classes of Windows Updates* +- GP name: *SetPolicyDrivenUpdateSourceForOtherUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0: (Default) Detect, download and deploy Driver Updates from Windows Update +- 1: Enabled, Detect, download and deploy Driver Updates from Windows Server Update Server (WSUS) + + + + +
+ + +**Update/SetPolicyDrivenUpdateSourceForQualityUpdates** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. + +If you configure this policy, please also configure the scan source policies for other update types: +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates + +>[!NOTE] +>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. + + + +ADMX Info: +- GP Friendly name: *Specify source service for specific classes of Windows Updates* +- GP name: *SetPolicyDrivenUpdateSourceForQualityUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0: (Default) Detect, download and deploy Driver Updates from Windows Update +- 1: Enabled, Detect, download and deploy Driver Updates from Windows Server Update Server (WSUS) + + + + +
**Update/SetProxyBehaviorForUpdateDetection**