Configuration policies

Create configuration policies and assign them at the Customer, Folder, or Agent levels to ensure compliance across your end-user devices.

To set up your policies, see Set up configuration policies

How configuration policies work

Creating policies

• Technicians with full admin access can create and assign policies to Customers, Folders, and Agents.
• A technician can assign policies to individual Agents only, as long as they have the required permissions for that customer.
• One policy can be assigned per Customer, Folder, or Agent.

Policy behavior

• Once created or saved, the policy will be immediately applied to all assigned Customers, Folders, and/or Agents, as per the inheritance and supersession rules explained below.
• To ensure device compliance, the policy will be applied every 12 hours.
• Configuration Policies override the "Reboot if needed" option found in IT Automation profiles. For example, if you have set up a Configuration Policy with "Restart outside of active hours", the agent will reboot only after working hours have ended.

Important note: Configuration Policies created in Atera will not override a policy configured by a domain Group Policy Object (GPO).

Policy inheritance and supersession

• Policy inheritance applies at the Folder and Agent levels.
  • If assigned at the Customer level, all unassigned Folders and Agents under that customer will inherit the policy.
  • If assigned at the Folder level, all unassigned Agents under that Folder will inherit the policy.
• Policies assigned at a Folder level will override any assigned to the parent Customer.
• Policies assigned directly to an Agent will override any assigned to the parent Folder and/or Customer. Policy supersession applies at the Folder and Agent levels for all policies applied at any level above.

Deleting policies

• Deleted policies will be removed from all associated Agents without reverting the configurations they had previously set. To revert those configurations, we recommend reverting to device settings within your policy's toggled configuration(s) before deleting the policy.

Available configurations

Note: More configurations coming soon! Have any you'd like to see? Let us know

Windows Update Restarts

Windows Update Restarts are required to ensure that your devices are running the most recent and secure versions of Windows. It's critical to manage these restarts in order to minimize disruption for end users. The following options provide flexibility in scheduling and controlling restarts after Windows updates have been installed:

Revert to device settings

Select this option to apply the Windows default settings to the devices.

Disable auto-restart with logged-on users

Select this option to disable device restarts for any user who is currently logged on.
Note: The device will not restart if the user logs out after the automation has run.

Restart outside of active hours

Select this option to set the active hours in which devices will not restart.
Note:

• The active hours are based on the local system settings.
• Applies to Windows 10, Windows Server 2022, and above.

Restart after the selected time period

Select this option to schedule device restarts anywhere from 15 – 180 minutes after Windows updates are complete.
Note: This applies to Windows 10, Windows Server 2022, and above.

Allow end users to control device restarts

Select this option to send a toast notification to your end users informing them of a pending restart. You can specify how often the notification should be sent (in minutes) until the user restarts the device. You can also force a restart after a specified number of prompts, as well as customize the message that appears in the toast notification.

Windows updates settings

Creating a configuration policy for Windows update settings allows you to take complete control over patching and Windows updates on your end-user devices. 

Note: Windows update settings configured via GPO or any third-party tools may take precedence over any changes made in the Windows update settings menu, even if you have selected to control Windows update settings via Atera. To avoid conflicts, please review any GPO settings or third-party tools to ensure that they align with your Atera configurations.

Toggle on Windows update settings

To effectively create a new policy to manage Windows update settings, you must first toggle on the configuration. 

Control via Atera's IT automation profiles (Recommended)

This option gives you full control over patch management and Windows updates via Atera's IT automation profiles and allows you to configure updates according to your organization's specific needs and policies. Selecting this option disables the end user's ability to check for and install Windows local updates themselves. 

Important notes:

• Local users who try to install an update when this option is selected will see a message similar to the one below.
  
  Users with earlier versions of Windows OS will not be blocked from searching for and installing updates.
• 'Security Intelligence Updates for Microsoft Defender Antivirus' will not be disabled and will continue to automatically update (even if you've selected the option to control Windows updates via Atera's IT Automation Profiles.)
• If you choose to control Windows updates exclusively with Atera, (and in doing so, disable the automatic Windows Update feature), be sure to include all the patches you want to install in the associated IT automation profile to ensure your end-user devices stay secure and up-to-date.
• This feature won’t work on Windows OS Home versions (as they don’t support Group Policy).

Allow automatic Windows local updates

This option enables automatic Windows local update installation on end-user devices, following the device's local policy for automatic updates. While you won't have complete control over the installation of updates, this still allows you to monitor and manage updates through Atera's IT automation profiles. If you want complete control over patch management and Windows updates, we suggest selecting the "Control via Atera's IT automation profiles" option.

Important notes:

• When selecting the option to 'Allow automatic Windows local updates,' the 'OS Excluded Patches' and IT automation schedule set in Atera may be overridden, resulting in excluded patches being installed anyway.
• If you ever need to manually re-enable automatic Windows updates on a device, follow these instructions

Migrate Windows local updates from IT automation profiles to Configuration Policies

Windows local updates are now managed via Configuration Policies to provide greater control and flexibility over updates installation and ensure consistent enforcement of settings across relevant devices. Follow the instructions below to migrate your previously configured Windows local updates from IT automation profiles to Configuration Policies.

• Don't affect: If you previously selected this option in the Windows local updates section and want to continue adhering to local device settings without controlling updates through a policy created in Atera, no action is needed.
• Disable: Enable the toggle for Windows update settings and select 'Control via Atera's IT automation profiles' to take full control over patch management.
• Enable: Enable the toggle for Windows update settings and select 'Allow automatic Windows local updates' to let the local policy handle updates while still having visibility and control through Atera.

Once you've finished creating the policy, you must assign it to the relevant customers, folders, or devices for the changes to take effect.

Troubleshooting

If your end users are not seeing the toast notification for Windows Update Restarts, it could be due to one of the following reasons: 

'Update/Restart required notifications' are turned off

If your end users have disabled the "Update" or "Restart required" notifications in their system settings, they will not receive toast notifications on their devices. 

1. Navigate to Settings on the Windows device and click the Update & security icon.

2. Click Windows Update on the left-hand tab.

3. Scroll down on the right-hand side and click Advanced options. The Advanced options menu appears.

4. Toggle on the option for 'Update notifications,' 'Restart required notifications,' or 'Notify me when a restart is required to finish updating', depending on the Windows version you have on your device. This should allow the Atera toast notification to appear when setting up the configuration policy to notify logged-in users before a restart.
Note: The method for enabling notifications for a restart after a system update may vary depending on the version of Windows you are using. If the above method is not applicable for your Windows device, you can try the following: Navigate to Settings > System > Notifications and actions. Scroll down to find 'Restart required' under the 'Notifications from apps and other senders' section. Turn on the toggle switch for 'Restart required.'

Existing group policy (domain or local) settings are blocking toast notifications

If the issue persists even after enabling update notifications, it could be due to group policy settings that are preventing toast notifications from being sent. 

1. Press the Windows key + R to open the Run dialog box. Then type in "gpedit.msc" and press Enter to open the Local Group Policy Editor.

2. Navigate to User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications.

3. Check if the "Turn off toast notifications" policy is enabled. If it is, double-click on it to open its properties.

4. Select "Disabled" or "Not Configured" and click Apply to save the changes.

5. Repeat steps 1-4 for the "Turn off toast notifications on the lock screen" policy.

6. Restart the device and check if toast notifications for Windows Update Restarts now appear.