Written By Mikel from Gorelo
The Windows Patch Management plugin enables centralized control over Windows Updates across managed assets. This plugin functions similarly to Windows Update for Business (WUfB) and aligns with Microsoft's recommended practices—focusing on deferral, deadlines, and user experience rather than per-patch approval.
How It Works
This plugin configures Windows Automatic Updates via local policy, allowing devices to autonomously receive, install, and reboot for updates based on the settings defined in your Gorelo policy.
Once applied, these settings override local user preferences and are enforced until the policy is removed or modified.
Update Settings
Setting | Description |
Quality update deferral period | Delays cumulative updates (e.g. Patch Tuesday) by the specified number of days. Security updates are part of this. |
Feature update deferral period | Postpones new Windows feature updates (e.g. 22H2 → 23H2). |
Optional updates | Controls installation of optional driver or non-security updates. |
Hide Windows 11 Upgrade | Prevents eligible Windows 10 devices from offering the Windows 11 upgrade. |
OS status out-of-date threshold | Flags devices as out-of-date if they haven't received an update within this number of days. |
Hide KB Article IDs | Suppresses visibility of specific KBs. |
User Experience Settings
Setting | Description |
Automatic update behavior | Sets the update action: Auto install and restart at maintenance time Auto download and schedule the install |
Active hours start/end | For ‘Auto install and restart at maintenance time’ Prevents automatic restarts during working hours. |
Scheduled install day/time | For ‘Auto download and schedule the install‘ Updates are installed on this day/time. |
Deadline for OS Updates
These settings define how long an asset has to install updates before enforcement kicks in. If enabled, the asset will first attempt to install updates during regular maintenance time. If it fails to do so within the deadline, it enters a grace period where the user is prompted to schedule a restart. Once the grace period expires, the update and restart will be forced.
Setting | Description |
Use Deadline settings | If enabled, updates will be forced within set timeframes. |
Deadline for quality updates | Number of days (0–30) after the update is offered that the asset has to install it before entering the grace period. |
Deadline for feature updates | Number of days (0–30) after the update is offered that the asset has to install it before entering the grace period. |
Grace period | Number of days (0–7) after the deadline where the user is prompted to restart or schedule a restart. After this, the device will force the restart. |
Auto reboot before deadline | If enabled, allows the system to automatically reboot to complete installation before the deadline expires. |
When aligning these settings with CIS Controls, Essential Eight, NIST etc., the deferral period + deadline + grace period define the total number of days E.g. If you require critical updates to be installed within 7 days of release:
Quality update deferral period = 3 days
Deadline for quality updates = 2 days
Grace period = 2 days
3 + 2 + 2 = 7 — you’re now at the maximum of 7 days.
⚠️ It is recommended to start with this as ‘Not configured’ when first onboarding with Gorelo as this is the least impactful option. When you choose to change this to ‘Allow’, start with each of the deadline and grace period values much higher and slowly reduce them to your preferred number.