Assistenza tecnica

Ti serve aiuto?

 

Patch Management in Windows 10 with Systems Management

About Windows 10 updates

Windows 10 is managed very differently from the operating systems that came before it. Windows updates in particular are handled much more closely by Microsoft in Windows 10, and the changes become more pronounced with each update.

This article will list all Windows 10 versions and will go through some of the new update terminology used for Windows 10. It will list a few common scenarios users can expect when managing Windows 10 updates, and it will also show how to solve them.

+ Terminology - Terminology

Users can expect to see the following terms used when handling Windows 10 updates:

+ Windows 10 versions - Windows 10 version

Check out this image:

+ Branch switching - Branch switching

To switch branches, users can download the Windows 10 Update Branch Switcher [WIN] component. This script works on Windows 10 builds 1511, 1607 and 1703. It will switch a device from CB to CBB and automatically defer Quality and Feature Updates to the maximum time permitted by the operating system. It also enables Windows Telemetry on devices that have it disabled, as branch switching will not occur otherwise.

+ Issues - Issues

Check out the issues detected in Windows 10 Patch Management

+ Windows 10 Feature Updates will not install - Windows 10 Feature Updates will not install

Due to the way in which Windows 10 Feature Updates are handled, they are not supported by Systems Management patch management. The issue revolves around the way devices with a Feature Update queued must be rebooted. Windows does not properly detect how Systems Management places the updates it has downloaded into the Windows 10 update queue, meaning devices are left unaware they have an update to install and therefore disregard it. The best way for a Windows 10 device to update via a Feature Update is simply to allow the device to patch itself via Windows' own update mechanism. If this is unacceptable, the best solution to this is to use an Systems Management patch management policy to only approve patches that are smaller than 1.5 GB in size. Research done internally indicates that Windows Feature Updates are around 2 GB at a minimum. Once the update is blocked, an Administrator will need to install it manually onto their devices using a USB Stick or DVD.

+ Windows 10 does not offer individual control over patches - Windows 10 does not offer individual control over patches

This is due to the nature of Windows 10. The retroactivity of Windows 10 patches, where the updates of month 2 will include those missed in month 1, works alongside the cumulative nature of the patch rollups to ensure that devices receive all the patches Microsoft says the device needs. While it is possible to hide or skip Windows 10 patches entirely, Administrators will find the patches they have blacklisted in month 1 re-appearing in month 2's update, making the process one of debatable usefulness

+ Unpredictable or unsatisfactory results when using Systems Management Patch Management on Windows 10 Home devices - Unpredictable or unsatisfactory results when using Systems Management Patch Management on Windows 10 Home devices

Microsoft treats the Windows 10 Home version drastically differently from its Pro and Enterprise versions. Windows 10 Home does not have a group policy editor and only works on Current Branch (CB). For more information, refer to this article. Systems Management is an enterprise software product and does not formally support Home versions of Windows 10. Devices requiring enterprise-grade management must be running enterprise-grade software.

+ Windows 10's update system conflicts with Systems Management - Windows 10's update system conflicts with Systems Management

Users who wish to use Systems Management patch management and disable Windows Update entirely will find that Windows 10's update system conflicts with Systems Management. It is a complicated issue but here are some points to consider:

  • Windows Update cannot be disabled on Windows 10.
  • The most unobtrusive form of Windows Update is "level 2" which disables Windows' automatic updating functionality but still permits it to check. It will notify the user when updates are available and remind them regularly.
  • Administrators can enable Current Branch for Business which defers Feature and Quality Updates, but they will still arrive. Administrators receive a "grace period" but the updates arrive in the same frequency, just with a delay.
  • Driver updates can still be disabled entirely, but Feature and Quality updates can only ever be deferred.
  • Users wishing to update as seldom as possible should consider using Long-Term Servicing Branch versions of Windows 10.
SEMPRE ONLINE PER AIUTARTI TWITTER FORUM
SEMPRE ONLINE PER AIUTARTI TWITTER FORUM