Windows updates - write up
Windows update is seen on all Windows operating systems (OS) so that endpoints stay up to date with the newest features, run high-performing, without bugs and stay secure.
This post aims to clarify different update methods, release channels, update types, support durations and focus on the modern way to bring all those together.
Do not forget about updates to Office, Edge and other browsers, third-party software and drivers and firmware and security software. You can find some more infos about this here. This write-up concentrates on Windows updates.
Why it is important to get updates and stay supported
Every Windows OS version has a limited amount of time in where it is "supported" from Microsoft. After this end of life date (see for Windows OS) you will no longer receive updates. This means that the system stays on its current version, gets no new features or fixes and especially no security updates. (Remember that this only affects the OS security, not Defender. But both are imperative concerns.) Furthermore if you encounter any issues, Microsoft will not support you with assistance. This is not a situation any organization wants to be in.
There are several ways to update the Windows operating system:
- Windows Update
The service that delivers Windows updates of any kind to endpoints. It automatically downloads and installs updates in the background to keep you up to date.
- Windows Update for Business
A control layer over Windows Updates. This includes to configure policies to define the update delivery, settings, deadline and behavior.
The tech behind the scenes is the Windows Update for Business deployment service - which is also the modern way. (read chapter below)
- Windows Server Update Services (WSUS)
WSUS is a Windows Server role that allows organizations to centrally manage update distribution for the clients in their network. More granular control for each update and reporting are advantages. With Azure AD only joined devices, this isn't applicable.
- System Center Configuration Manager (SCCM)
SCCM software updates such as Windows updates can be downloaded to be included with a deployment package that contains target devices, the schedule for the update deployment, and any necessary pre- or post-deployment tasks to roll out updates to clients managed by SCCM.
- Manual Update
If you wish you can download any update or hotfix from the Microsoft Update catalog. Search for one, download, receive a .msu file and install it.
So updates do not get rolled out to all devices at the same time. They need to get tested, validated and brought to the field.
- Microsoft internal - Microsoft develops new features and releases them to their internal testing cycles.
- Insider program - the fastest way to get updates as a consumer is to explicitly join the Windows Insider program. There are even three sub-channels: Dev, Beta and Release Preview. It targets users that are interested in preview features and technologically affine.
- General Availability Channel - also named consumer channel, is the broadest channel where updates get released to everyone. You are most likely settled here.
- Long-Term Servicing Channel - for organizations that need extended support, because of a dependency, stability or requirements reasons. The LTSC or LTSB channels only receive security and critical bug fixes, but no new features. It is not recommended for general use.
This part is a description of most common update types.
Is a single update package that includes multiple updates of different update types. They include all previously released updates, as well as any new updates.
Are updates that are deployed out of schedule and independent of other controls or policies. If you decide to expedite an update, this may be for security or a zero-day flaw. Currently this feature is only supported for security updates.
Feature update servicing timeline (lifecycle policy):
- Enterprise and Education versions are supported for 36 months from release date
- Home and Pro versios are supported for 24 months from release date
Feature update servicing timeline (lifecycle policy):
- Enterprise and Education versions are supported for 18 months for H1 release and 30 months for H2 release from release date
- Home and Pro versios are supported for 18 months from release date
Enterprise modern updating with Intune
In Intune we leverage the Windows Update for Business deployment service that has 3 control mechanisms:
- Update rings - define update settings such as deferral periods, deadlines, automatic update behavior, active hours and other. All this will be applied to the client, but updates are automatically downloaded and installed from Microsoft according to the policy settings.
-> Updates that come through rings can be paused (quality and feature separate)
-> An uninstall option allows to roll back to the latest quality or feature update
-> Set a feature update deferral of '0' to deploy feature updates manually through feature update policies
Feature updates - manually deploy a Feature update version to a group. This also supports rollout options to make an update available on a specific date or gradually for specific groups.
Quality updates - in Intune this is used for expedited updates, to deploy Security updates independently.
I recommend to only use Update rings to stay compliant with up to date endpoints. Make sure you include multiple rings and assign differnt target groups that can test new versions with reasonable deferrals and a deadline. Here you see how I would configure it:
A sample update ring architecture could look like this.
|Use||Development testing||Non-mission critical first adoption||Business adoption pilot||General availability|
|Amount of devices||very few||1%||9%||90%|
|Example members||Test devices||IT department and early adopters||Business stakeholders, owners and pilot users||Everyone|
- For more detailed information, please visit my post on Intune best practices.
- To overview and report Windows update in your environment, consider Windows Update for Business reports.