Managing Windows 10 Updates
Many businesses (especially large ones) have been using Windows Server Update Service (WSUS) with Software Center Configuration Manager (SCCM) or similar system to manage Windows updates to the end-point devices for a very long time. However many do not have a formalized process to update the O/S on their devices.
For the past 3 years or so Microsoft’s Windows 10 introduced automatically downloads and installs updates to make sure your device is secure and up to date.
key challenges
As businesses adopt and migrate to Windows 10 they have to deal with three basic challenges:
| Challenge | Feature Update | Quality Update |
|---|---|---|
| Update Frequency | Twice/Year | Monthly |
| Critical applications need to be tested before deploying new updates to production devices. A defined process for Release Management, and what to do when an issue is found need to be in place. | ||
| Size of Update | Average: 4GB | Average: 1GB |
| Getting the package to each device across the enterprise can prove taxing for your network. | ||
| Max Deferral Time | 356 Days | 30 days |
| Feature and Quality updates are no longer optional, they are mandatory. Businesses must adopt a proper update cycle and process in order to reduce risk and maintain a healthy client environment. | ||
Side note:
As explained by Microsoft’s Mike Benson Blog Post on 7/11/2018, outside the Quality Full Cumulative Updates, there are two other smaller updates issued by Microsoft: Express updates and Delta updates. For the purpose of this article we will not talk about them.
Deferring Updates (Discouraged Option)
If you have Windows 10 Pro or Windows 10 Enterprise devices, although strongly and highly discouraged, Microsoft provides a mechanism for you to defer / postpone an update by pausing updates from being downloaded and installed for a certain number of days based on its type:
| Category | Maximum deferral | Deferral increments | Example |
|---|---|---|---|
| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days. From Windows 10, version 1703 to version 1809, the maximum is 365 days. |
| Quality Updates | 30 days | Days | Security updates Drivers (optional) Non-security updates Microsoft updates (Office,Visual Studio, etc.) |
Please Note: if you disable Windows 10 Updates, your system will be at risk from attack and:
- Windows Defender will not be updated
- Operating System patches will not be applied
- Windows Apps will not update and possibly fail
You can do this manually on each computer by: Select the Start button, then select Settings >Update & security > Windows Update . Under Update settings, select Advanced options. Turn on Pause updates.
A Much Better Alternative
If you do not have a Patch Management System, Microsoft provides a good free alternative in Windows Update For Business (WUfB).
Windows Update for Business makes it easier for organizations to manage updates in Windows 10 Pro, Enterprise, and Education. Unlike the update mechanisms that most organizations are familiar with, WUfB does not require any infrastructure to be installed.
Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service.
WUfB has improved over the years adding features along the way:
You can setup and configure Windows Update for Business to manage Windows Updates with MDM, SCCM, Group Policies (GPO), Windows Settings, Intune and more…
More information on Windows as a Service and WUfB can be found:
- Deploy updates using Windows Update for Business
- Prepare servicing strategy for Windows 10 updates
- Create Deployment Rings Using Windows 10 Update for Business
- Windows 10 quality updates explained & the end of delta updates
