Introduction
Install pending Windows updates on managed devices via automation. Use this action to enforce patch compliance on a schedule, push updates in response to new device enrollment, or deploy updates after a maintenance window opens.
Install Windows Updates
From the automation pipeline in edit mode, click + Add action and select Install Windows updates from the Security category. The action panel opens with two sections: Action type (pre-set to Install Windows updates) and Step configuration.
Configure Update Categories
Click Configure update categories to open the Windows patch management categories panel. This controls which types of updates Level installs and how each is timed.
Each category has two settings:
Timing β Either Update immediately or Delay installation.
Days β How many days to wait before installing (only active when Delay installation is selected).
How delay works: When you configure a category to Delay installation, Level skips any update in that category until it has been available for at least that many days. Once the window passes, the update installs automatically the next time the action runs β no manual approval required.
This is intentional. Many patch management tools require you to review and approve each update individually before it deploys. That creates a constant backlog of approval tasks for updates that almost always go fine. Level's model: set a delay window that gives you time to hear about problems in the wild, then let updates roll automatically. For the vast majority of patches, the window passes quietly and they deploy without you ever touching them. For the rare problematic update, block it globally before the delay expires β and it stays blocked until you clear it.
π‘ TIP: If you want an extra layer of confidence before broad rollout, target a small group of test devices first. Tag those devices (e.g., canary) and run this action against that group with a shorter delay or none at all. If no issues surface after a few days, the same action on your wider groups will pick up the updates once their delay window passes β no duplicate work required.
The available categories are:
Category | Description |
Critical updates | Non-security critical bugs affecting compatibility, performance, or interoperability |
Security updates | Product-specific vulnerabilities |
Definition updates | Virus and definition files for Windows Defender |
Update rollups | Cumulative security updates, critical updates, and hotfixes targeting specific Windows areas |
Service packs | Cumulative updates, design changes, and features for Microsoft products |
Tools | Utilities and features for task completion |
Feature packs | Functionality distributed outside the normal product release cycle |
Updates | Non-critical, non-security bug fixes |
Upgrades | New product releases, version upgrades, and design changes |
Drivers | Third-party driver updates and bug fixes |
π‘ TIP: Enable only the categories you want Level to manage. Leaving a category unchecked means Level won't touch those updates β useful if you manage driver updates through a separate process, or want to hold Upgrades back entirely.
βΉοΈ NOTE: Definition updates (Windows Defender) can also be managed with the dedicated Windows Defender Update action. If you're using both, keep your approach consistent to avoid redundant update runs.
Reboot After Updates (When Required)
When enabled, Level reboots the device after updates install β but only if Windows signals a reboot is required. Updates that don't need a reboot won't trigger one.
β οΈ WARNING: This reboot happens without prompting the end user. Use this in combination with a maintenance window, or pair with the Notify User action beforehand if users may be active on the device.
Loop Until Complete
βΉοΈ NOTE: Loop until complete requires Reboot after updates to be enabled. Without reboots, the loop can't progress past updates that require one to finish.
When enabled, Level keeps cycling through install-and-reboot until all pending updates have been installed successfully. After each reboot, it checks for remaining updates and continues until the device is fully current.
π‘ TIP: Loop until complete is the right choice when provisioning new devices. Windows endpoints often need multiple reboot cycles to get fully patched β one update installs, reboots, and reveals another batch waiting. Enable Loop until complete on your new device onboarding automation and it handles the whole chain without any manual follow-up.
Conditions
The Conditions section lets you restrict when this action runs based on device attributes or the outcome of a previous action. Expand the section to add conditions.
See Action Conditions for the full reference on condition types, operators, and values.
Additional Options
Expand Additional options for execution settings including action name, failure behavior, output variables, and retries.
See Actions Overview for the full reference on additional options available on every action.
FAQ
Does this action work on macOS or Linux? No. This action applies to Windows devices only. For macOS, use the Install macOS Updates action. For Linux, use the Install Linux Updates action.
What happens if there are no pending updates in a selected category? Level skips that category silently and continues. The action completes successfully even if nothing was installed.
Do updates install silently or does the end user see a prompt? Updates install silently in the background. End users don't see Windows Update UI prompts. If a reboot is required and Reboot after updates is enabled, the device reboots without a user prompt β pair with a Notify User action if users may be active.
What's the difference between "Update immediately" and "Delay installation"? Update immediately installs matching updates as soon as the action runs. Delay installation holds off for a set number of days from when the update was published β after that window, updates in that category deploy automatically without any manual approval. The delay gives you time to hear about issues in the wild and block a specific update if needed, without requiring you to review every patch individually.
What's the difference between "Reboot after updates" and "Loop until complete"? Reboot after updates triggers a single reboot when Windows signals one is required. Loop until complete keeps cycling through install-and-reboot until no updates remain. The main use case for Loop until complete is provisioning new or out-of-date devices that need multiple reboot cycles to get fully current.
What happens if the device is offline when the action runs? The action queues and resumes once the device comes back online.
Who can add or modify this action in an automation? Technicians with permission to edit automations in the relevant group. See Workspace β Permissions for access control configuration.