Microsoft says devices need to be powered on and connected to Windows Update for at least eight hours to ensure a successful update.
In a Tech Community blog on achieving better patch compliance, the company says it looked into why some Windows devices are not always full up to date, and one of the most impactful actors was the time a device was powered on and connected to Windows Update.
“What we found is that devices that don’t meet a certain amount of connected time are very unlikely to successfully update,” the company says in the blog.
Specifically, Microsoft says data suggests that devices need to be connected for at least two successive hours, and then six total connected hours after an update is released to reliably update. That purportedly allows for a successful download and for background installations that are able to restart or resume once a device is active and connected.
The company calls the measurement “Update Connectivity,” and defines it as the time that a device is powered on and connected to services such as Windows Update.
According to the blog, a significant amount of computers are not connected long enough to facilitate successful updates.
For an indication how impactful Update Connectivity is, let’s look at the portion of Windows 10 devices that are not on a current update and do not meet the minimum connectivity requirements.
- Approximately 50% of devices that are not on a serviced build of Windows 10 do not meet the minimum Update Connectivity measurement
- Approximately 25% of Windows 10 devices that are on a serviced build, but have security updates are more than 60 days out of date have less than the minimum Update Connectivity.
The company urges IT administrators to instruct users to leave devices plugged in and connected to updates can download and install properly.
“Impress upon them the importance of keeping their devices connected so their devices can stay protected and they can stay productive,” the company says.
Microsoft also says power settings should be configured to optimize Windows Update adoption. This prevents devices from sleeping or hibernating too quickly, which can prevent updates from occurring outside active hours.
Admins can find Update Connectivity data in Microsoft Intune by navigating to Devices > Monitor and select either the Feature update failures or Windows Expedited update failures report.
The Insufficient Update Connectivity alert is also available in the Summary report in Intune, which can be found by navigating to Reports > Windows updates, then selecting the Reports tab and clicking on Windows Expedited update report.
Admins using Group Policy Objects to manage policies can configure power settings that are a good balance of power savings while enabling devices to update outside of active hours via the Security Compliance Toolkit.
Admins should also consider filtering out devices that do not have the minimum update connectivity from success metrics. Changing policies or targeting those devices with more updates will not get them to update until they meet the minimum Update Connectivity measurements.
“When thinking about the security impact of devices with insufficient Update Connectivity, a question to consider is do these devices pose less security risk because they have a very low level of connectivity? Every organization will, of course, have different business requirements and levels of risk tolerance, but Update Connectivity can be a useful tool in determining just how much risk these devices introduce and what actions, if any, should be taken to improve update compliance,” the blog says.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply