Introduction

Windows update is seen on all Windows operating systems (OS) so that endpoints stay up to date with the newest features, run high-performing, without bugs and stay secure.

This post aims to clarify different update methods, release channels, update types, support durations and focus on the modern way to bring all those together.

Do not forget about updates to Office, Edge and other browsers, third-party software and drivers and firmware and security software. You can find some more infos about this here. This write-up concentrates on Windows updates.

Why it is important to get updates and stay supported

Every Windows OS version has a limited amount of time in where it is "supported" from Microsoft. After this end of life date (see for Windows OS) you will no longer receive updates. This means that the system stays on its current version, gets no new features or fixes and especially no security updates. (Remember that this only affects the OS security, not Defender. But both are imperative concerns.) Furthermore if you encounter any issues, Microsoft will not support you with assistance. This is not a situation any organization wants to be in.

Update methods

There are several ways to update the Windows operating system:

• Windows Update
  The service that delivers Windows updates of any kind to endpoints. It automatically downloads and installs updates in the background to keep you up to date.
• Windows Update for Business
  A control layer over Windows Updates. This includes to configure policies to define the update delivery, settings, deadline and behavior.
  The tech behind the scenes is the Windows Update for Business deployment service - which is also the modern way. (read chapter below)
• Windows Server Update Services (WSUS)
  WSUS is a Windows Server role that allows organizations to centrally manage update distribution for the clients in their network. More granular control for each update and reporting are advantages. With Azure AD only joined devices, this isn't applicable.
• System Center Configuration Manager (SCCM)
  SCCM software updates such as Windows updates can be downloaded to be included with a deployment package that contains target devices, the schedule for the update deployment, and any necessary pre- or post-deployment tasks to roll out updates to clients managed by SCCM.
• Manual Update
  If you wish you can download any update or hotfix from the Microsoft Update catalog. Search for one, download, receive a .msu file and install it.

Release channels

So updates do not get rolled out to all devices at the same time. They need to get tested, validated and brought to the field.

• Microsoft internal - Microsoft develops new features and releases them to their internal testing cycles.
• Insider program - the fastest way to get updates as a consumer is to explicitly join the Windows Insider program. There are even three sub-channels: Dev, Beta and Release Preview. It targets users that are interested in preview features and technologically affine.
• General Availability Channel - also named consumer channel, is the broadest channel where updates get released to everyone. You are most likely settled here.
• Long-Term Servicing Channel - for organizations that need extended support, because of a dependency, stability or requirements reasons. The LTSC or LTSB channels only receive security and critical bug fixes, but no new features. It is not recommended for general use.

Update types

This part is a description of most common update types.

Cumulative updates

Is a single update package that includes multiple updates of different update types. They include all previously released updates, as well as any new updates.

Expedited updates

Are updates that are deployed out of schedule and independent of other controls or policies. If you decide to expedite an update, this may be for security or a zero-day flaw. Currently this feature is only supported for security updates.

Support duration

Windows 11
Find here

Feature update servicing timeline (lifecycle policy):

• Enterprise and Education versions are supported for 36 months from release date
• Home and Pro versios are supported for 24 months from release date

Windows 10
Find here

Feature update servicing timeline (lifecycle policy):

• Enterprise and Education versions are supported for 18 months for H1 release and 30 months for H2 release from release date
• Home and Pro versios are supported for 18 months from release date

Enterprise modern updating with Intune

In Intune we leverage the Windows Update for Business deployment service that has 3 control mechanisms:

• Update rings - define update settings such as deferral periods, deadlines, automatic update behavior, active hours and other. All this will be applied to the client, but updates are automatically downloaded and installed from Microsoft according to the policy settings.

-> Updates that come through rings can be paused (quality and feature separate)
-> An uninstall option allows to roll back to the latest quality or feature update
-> Set a feature update deferral of '0' to deploy feature updates manually through feature update policies

• Feature updates - manually deploy a Feature update version to a group. This also supports rollout options to make an update available on a specific date or gradually for specific groups.

• Quality updates - in Intune this is used for expedited updates, to deploy Security updates independently.

My recommendation

I recommend to only use Update rings to stay compliant with up to date endpoints. Make sure you include multiple rings and assign differnt target groups that can test new versions with reasonable deferrals and a deadline. Here you see how I would configure it:

A sample update ring architecture could look like this.

• For more detailed information, please visit my post on Intune best practices.
• To overview and report Windows update in your environment, consider Windows Update for Business reports.

Endpoint Management with Microsoft Intune

Ever wanted a full tutorial how to deal with Microsoft Autopilot Intune Technology? Well here it is!

OceanleafNiklas Tinner