Atlas
Atlas copied to clipboard
Atlas-OS
[BUG] - Windows Update configuration
Description
Windows Update is configured in a non secure way, by default it doesn't download any security updates, only definitions for Windows Defender. I can understand that feature updates might break the changes of Atlas, but in my opinion it's not too bad, in the worst case you can just re-run the playbook. But at least security updates (e.g. monthly patchdays) should be downloaded and installed automatically. I had to change some group policies in order to allow that by myself. And I don't want to do that on every new Atlas installation, I installed v0.3 on more than 10 PCs now.
Steps to reproduce (add screenshots if applicable)
There's nothing to reproduce.
Expected behavior
It should at least allow security based updates by default, and maybe add some scripts to change Windows Update behaviour and what it installs to let the user decide what to install.
Actual behavior (add screenshots if applicable)
Already in the bug description.
Atlas Version
Atlas 10 22H2
Desktop information
It is affected by both 10 22H2 and 11 23H2.
Requisites
- [X] This is not a support issue or a question. For any support, questions or help, join our Discord server.
- [X] I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
- [X] I checked the documentation to understand that the issue I am reporting is not normal behavior.
- [X] I understand that not filling out this template correctly will lead to the issue being closed.
Additional content
No response
It should download security updates by default, it's feature updates that are skipped.
But at least security updates (e.g. monthly patchdays) should be downloaded and installed automatically.
How exactly did you change the policies so that only security updates are downloaded automatically?
But at least security updates (e.g. monthly patchdays) should be downloaded and installed automatically.
How exactly did you change the policies so that only security updates are downloaded automatically?
I changed the following policies:
-
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Legacy Policies: "Turn on recommended updates via Automatic Updates" ==> Enabled
-
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage Updates offered from Windows Update: "Enable optional updates" ==> Enabled, "Select when Preview Builds and Feature Updates are received" ==> Disabled, "Select when Quality Updates are received" ==> Disabled
I'm not too sure if these changes are correct or breaking something, but so far I didn't have issues and after that it installed the patchday update at least. Patchday is always at the second tuesday in a month, like 19:00 german time. When my friend with stock Windows got the update instantly (patchday updates aren't rolled out by Microsoft, everyone gets them at the exact same time), I didn't. Then I came up with the idea to check the group policies and when I configured these policies, voilá.
I have to say that I'm not an expert with Windows Update in general. My configuration might be still wrong. All I want is that you guys configure Atlas from ground up that it gets the monthly patchdays and all security updates along with bug-fix updates. At least let the user decide that. Maybe add a script which configures the policies correctly, let me know if I did something wrong.
It should download security updates by default, it's feature updates that are skipped.
I thought that first too, and it clearly doesn't. As I said I installed Atlas on more than 10 PCs and notebooks.
Unrelated policies
These are the policies that were mentioned, but shouldn't affect security updates.
Turn on recommended updates via Automatic Updates
This isn't set by default on Atlas.
Enable optional updates
This isn't set by default on Atlas, but I am aware of Atlas' policies for deferring feature updates disabling:
Get the latest updates as soon as they're available
With this policy, you can re-enable that option, although I'm not too sure if having both policies is a supported configuration or even does anything.
Select when Preview Builds and Feature Updates are received
BranchReadinessLevel- This is set to 20 by default, which seems to be an invalid value, so this'll be fixed
- Presumably Windows will use the semi-annual channel regardless and ignore this policy due to it seemingly being invalid
DeferFeatureUpdates- Set to 1 (enabled)
DeferFeatureUpdatesPeriodInDays- Defers feature updates up until 365 days
- This seems to affect feature rollouts (CFRs) too
There's also TargetReleaseVersion and ProductVersion set to only get updates for the current version of Windows, as in, if you were on 23H2, you'd only get updates for 23H2.
Select when Quality Updates are received
DeferQualityUpdates- Set to 1 (enabled)
DeferQualityUpdatesPeriodInDays- Atlas sets this to 6 days by default
This means quality updates (which includes security updates) aren't installed until they've been released for 6 days.
This is currently set to ensure that updates are stable, but I'm not too sure if this is a good change or not after reconsidering it. This would of been why everyone else got the security patches first, but Atlas installs not.
We'll also consider having update notifications enabled by default, as users might otherwise go with a system that's not updated for a long time. For checking which policies are applied and are available:
Unrelated policies
These are the policies that were mentioned, but shouldn't affect security updates.
Turn on recommended updates via Automatic Updates
This isn't set by default on Atlas.
Enable optional updates
This isn't set by default on Atlas, but I am aware of Atlas' policies for deferring feature updates disabling:
Get the latest updates as soon as they're availableWith this policy, you can re-enable that option, although I'm not too sure if having both policies is a supported configuration or even does anything.
Select when Preview Builds and Feature Updates are received
* `BranchReadinessLevel` * This is set to 20 by default, which seems to be an invalid value, so this'll be fixed * Presumably Windows will use the semi-annual channel regardless and ignore this policy due to it seemingly being invalid * `DeferFeatureUpdates` * Set to 1 (enabled) * `DeferFeatureUpdatesPeriodInDays` * Defers feature updates up until 365 days * This seems to affect feature rollouts (CFRs) tooThere's also
TargetReleaseVersionandProductVersionset to only get updates for the current version of Windows, as in, if you were on 23H2, you'd only get updates for 23H2.Select when Quality Updates are received
* `DeferFeatureUpdates` * Set to 1 (enabled) * `DeferQualityUpdatesPeriodInDays` * Atlas sets this to 6 days by defaultThis means quality updates (which includes security updates) aren't installed until they've been released for 6 days.
This is currently set to ensure that updates are stable, but I'm not too sure if this is a good change or not after reconsidering it. This would of been why everyone else got the security patches first, but Atlas installs not.
Thank you for the professional response.
Hello, it might be also worth enabling automatic updates, so security updates are always downloaded and installed ASAP. I don't know what updates Microsoft call Quality updates, feature updates and security updates. Hopefully those updates are splitted correctly and doesn't cause issues, so bug-fix updates, stability improvements updates and security updates are allowed in AtlasOS.
Hello, it might be also worth enabling automatic updates, so security updates are always downloaded and installed ASAP. I don't know what updates Microsoft call Quality updates, feature updates and security updates. Hopefully those updates are splitted correctly and doesn't cause issues, so bug-fix updates, stability improvements updates and security updates are allowed in AtlasOS.
These can be very, very annoying (ex. applying at inconvenient times) and nobody sets their active hours correctly.
We think showing an update notification may be good enough.
In the next version, it'll be manual by default, but with notifications to notify the user when updates are available. Automatic updates in the background is one of the reasons why people won't use stock Windows
We'll also include Registry files and a configuration option in AME Wizard to enable automatic updates.
Perfect.
he3als @.***> schrieb am Di. 28. Nov. 2023 um 22:27:
In the next version, it'll be manual by default, but with notifications to notify the user when updates are available.
We'll also include Registry files and a configuration option in AME Wizard to enable automatic updates.
— Reply to this email directly, view it on GitHub https://github.com/Atlas-OS/Atlas/issues/974#issuecomment-1830775157, or unsubscribe https://github.com/notifications/unsubscribe-auth/AVGKX3FSHU55VZYCBLPDA33YGZJLNAVCNFSM6AAAAAA72GH3NOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZQG43TKMJVG4 . You are receiving this because you modified the open/close state.Message ID: @.***>
Since it's update related. Recent KB5032190 security update can't complete its install, Win 11/22621. Is this fixed?
Since it's update related. Recent KB5032190 security update can't complete its install, Win 11/22621. Is this fixed?
We're working on fixing security updates in general.
This will be fixed next version. If you keep trying to update, it should eventually work.
I tried many times and on multiple machines and it's the same missing file error, since it's a patch I guess there is missing file for it to patch.
I tried many times and on multiple machines and it's the same missing file error, since it's a patch I guess there is missing file for it to patch.
Then you'll have to wait :P
In the next version, it'll be manual by default, but with notifications to notify the user when updates are available. Automatic updates in the background is one of the reasons why people won't use stock Windows
We'll also include Registry files and a configuration option in AME Wizard to enable automatic updates.
I hope that there will be option to disable these notifications if you really don't want them.
There will be an option in the Atlas folder, but it won't be recommended. Updates are important, and users having no indication that updates even exist is an issue.
This will be fixed next version. If you keep trying to update, it should eventually work.
when will next version come out, like AtlasOS 3.3?
This will be fixed next version. If you keep trying to update, it should eventually work.
I'm on old Atlas and use ISO to updated Win 11 23H2 but I can't "Run again" 0.3.2/newer playbook since Windows Security(that 4 toggle) get turned on after update install I guess and there are no page entry now to turn them off. How can I get that page back?
This will be fixed next version. If you keep trying to update, it should eventually work.
I'm on old Atlas and use ISO to updated Win 11 23H2 but I can't "Run again" 0.3.2/newer playbook since Windows Security(that 4 toggle) get turned on after update install I guess and there are no page entry now to turn them off. How can I get that page back?
You need to reinstall Windows, see https://docs.atlasos.net/getting-started/installation/
As the next version is being released soon, I will close this issue as it will be solved.