Some of the most controversial changes in Windows 10 affect how updates are delivered. And for admins who’ve built up a monthly workflow around testing individual updates and then accepting or rejecting each one as needed, these changes require some serious adjustments.
In this article, I explain how the update process has changed and list the steps you can take to manage the update process.
The first and biggest change is a move to cumulative updates across all Windows editions. New security and reliability updates are delivered as cumulative packages, with logic that identifies all previous applicable updates. When you download the latest cumulative update, it retrieves all the updates you need without requiring you to go through a mess of individual downloads.
With earlier versions, including Windows 7 and Windows 8.1, each month’s security and reliability updates arrive in individual packages. If you power on a Windows 7 PC that’s been out of service for a few months, you may find yourself with dozens of updates. Doing a clean install of Windows 7 with SP1 means that you need to install more than 200 updates, involving several reboots. (See Figure A.)
By contrast, Figure B shows what you see when you do the same using Windows 10.
The second big change, perhaps even more significant, is that you can no longer decline to install updates when they’re available on a PC you manage. Using default settings for Windows 10, in fact, you can push off installation by only a few days. You also have the option to set Active Hours, a period during which Windows will not install updates automatically. But unlike with Windows 7, you can’t fine-tune Windows Update to reject individual updates or delay updates.
SEE: Windows 10 spotlight: Prepare, repair, and recover
And finally, there’s the new “Windows-as-a-service” model, with Microsoft delivering major upgrades to Windows 10 as feature updates, using Windows Update. The first such update was version 1511 (build 10586), in November 2015. The second is version 1607 (build 14393), the Anniversary Update that rolled out to the public in August 2016.
Feature updates are large, and they can take an hour or more to install, so managing those updates is important if you don’t want to incur downtime.
The key to taking charge of the update process is a new feature called Windows Update for Business, which was introduced in version 1511 and has been modified slightly for version 1607. Because it uses Group Policy settings to control updates, it’s available only on Windows 10 Pro, Enterprise, and Education editions.
In a nutshell, here’s what you can do as an administrator using Windows Update for Business. For this walk-through I am using the Local Group Policy Editor, but you’re more likely to make these changes by defining your own update groups in Active Directory and then using Group Policy to set update policies for each group.
The policies you’re looking for are in Computer Configuration > Administrative Templates > Windows Components > Windows Update. In Windows 10 version 1511, these settings are combined in a single policy: Defer Upgrades And Updates. In version 1607, the policies are broken into two policies, one for quality updates (the security and reliability fixes delivered in cumulative updates) and the other for feature updates. Both are located in the Defer Windows Updates subfolder, shown in Figure C.
Use the Select When Feature Updates Are Received policy when you want to defer these upgrades. Your first choice is to select the “branch readiness level” for the policy. Current Branch (the default) means you want the most recent features update that has been released to the public. Choosing Current Branch for Business means you want to delay the installation of that update for at least four months, until Microsoft has declared a feature update ready for this branch. (For example, version 1511 was released to the Current Branch in November 2015, but it was not a Current Branch for Business release until April 2016.
Regardless of which branch you choose, you can delay the availability of feature updates for up to an additional 180 days (Figure D). This setting is a change from version 1511, which offered a delay of up to eight months, in increments of one month.
The Select When Quality Updates Are Received policy allows you to defer the regular cumulative updates by up to 30 days. If you’re concerned that an update will negatively affect your network, this setting allows you to test the update on a smaller ring within your organization and then push it to the broader network after you’ve determined it’s okay (Figure E). Of course, choosing that delay means potentially important security fixes are also delayed.
If you see a major problem, there’s an additional Pause button associated with each policy. You can pause feature updates for up to 60 days and quality updates for up to 35 days.
The new policies offer a level of control over updates that wasn’t possible before without using separate management software. There’s still a major learning curve and a period of adjustment, though, especially if you’re accustomed to the old ways of doing updates.