It is a considerable challenge keeping computer systems secure from external threats, such as malware and hackers. For earlier versions of Windows, with the Windows Update app, you could determine whether the Operating System (OS) was updated automatically with new functionality, security updates, and improvements. Many users opted to disable the Install updates automatically option, which made their systems vulnerable to attack.
Windows 10 changed the game in terms of updates and reliability, as new updates are now rolled out frequently. These updates are automatically downloaded and installed by Windows Update.
The following topics will be covered in this chapter:
- Selecting the appropriate servicing channel
- Configuring the Windows Update options
- Checking for updates
- Validating and testing updates
- Troubleshooting updates
By providing you with the skills to learn several key strategies to keep Windows 10 up to date, this chapter will help you configure Windows Update by selecting the appropriate servicing channels. You will also gain insight into how you can test, validate, and troubleshoot updates. By learning these skills, you are preparing for the MD-100 (Windows 10) exam, which is part of the Microsoft 365 Certified: Modern Desktop Administrator Associate certification.
In this chapter, you will see that we use PowerShell code. This code is available on the GitHub page: https://github.com/PacktPublishing/Microsoft-Exam-MD-100-Windows-10-Certification-Guide/tree/master/Chapter11
Throughout this chapter, you will need to follow some steps to configure settings. All of the steps covered in this chapter that you will need to follow have also been recorded. You can find those videos at https://bit.ly/2LsQDqD.
New versions of Windows are usually released every couple of years. The introduction of these new versions to an organization then becomes a project, either by using a wipe-and-load process to install the latest version of the OS on, existing machines or by transitioning, as part of the hardware replacement cycle, to the newer version of the OS.
Either way, it takes a tremendous amount of time and energy to complete specific tasks. A new configuration has been introduced to Windows 10. This new model, called Windows as a service, allows organizations to reconsider how they implement and update Windows. Updating Windows is no longer a project that occurs every couple of years, but is in fact, now a continuous cycle.
In this section, you will get to know Windows as a service, how you can select the appropriate servicing channel for your organization, and how you can distribute the updates with deployment rings.
Instead of only adding new functionality to new releases that come out every couple of years, Windows as a service strives to include new capabilities twice a year. Before 2020, the build versions were YY03 or YY09. From 2020, the build versions will be YYH1 and YYH2. New features are introduced or modified two to three times a year while maintaining a high degree of consistency between the hardware and application.
The key to having substantially shorter development cycles while retaining high quality standards is a creative community-centered approach to testing, which was introduced by Microsoft for Windows 10. The group, known as Windows Insider, consists of millions of users worldwide.
As Windows Insiders opt in to the community, they test several builds over a product cycle and provide Microsoft with feedback through an iterative approach called flighting. Builds distributed as flights offer essential data to the Windows development team on how successful builds actually work when used.
Flighting with Insiders now also helps Microsoft check builds on much more sophisticated hardware, devices, and networking environments than they could in the past. It also helps them to detect problems much faster. As a result, Microsoft believes that distributing flights based on the community allows a faster pace of innovation and a higher quality of public release than ever before.
While Microsoft releases flight builds for Windows Insider, it continues to publish two forms of Windows 10 updates to the wider public:
- Feature updates: These are software updates that enable the latest new apps, experiences, and functionality already running on Windows 10 devices. Since software updates include a full copy of Windows, they are also what consumers can use to install Windows 10 on existing devices that currently run on Windows 7 or Windows 8.1 and on new devices that don't have an OS.
- Quality updates: These quality updates concentrate on deploying security patches, as well as other critical updates. Microsoft plans to deliver an average of two to three new feature upgrades each year and to publish software updates when required for any feature upgrades that are still in support. Microsoft will continue to issue updates on Patch Tuesday for operations. Microsoft also publishes additional service updates for Windows 10 outside the Update Tuesday phase, when needed, to address customer needs.
Windows 10 Home users have no say about how these updates are handled by their machines. Users in enterprises and educational organizations that use the Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education versions are, however, able to control their upgrade experience using the following options:
- Servicing channels: To fit with the new method of providing Windows 10 feature updates and quality updates, Microsoft introduced this concept to allow customers to define how often their devices are updated. These channels are the Windows Insider Program, the Semi-Annual Channel, and the Long-Term Servicing Channel (LTSC).
- Deployment rings: By using Group Policy Objects (GPO) or Microsoft Intune, you can define deployment rings. These deployment rings use a specified channel of service and additional Windows settings to decide when updates are applied. You can monitor the updates to that group by configuring groups of computers with matching settings.
In the next section, we will look at the different servicing channels that you can choose from. By using these servicing channels, companies can decide how frequently their computers are updated.
Microsoft introduced the concept of servicing channels to allow customers to define how often their devices are updated. Servicing channels were also introduced to align with the new method of delivering Windows 10 feature updates and quality updates.
Microsoft has launched the following new Windows 10 service options:
- Windows Insider Program: Gaining exposure to feature updates early, before they are available to the Semi-Annual Channel, can be exciting and useful for potential end user interactions for many IT pros. It also means being able to check for any problems with the next Semi-Annual Channel rollout. Feature flighting with Windows 10 enables Windows Insiders to access and deploy preproduction code to their test machines, gaining early insight into the next project.
- Semi-Annual Channel: Feature updates are included in the semi-annual servicing channel as soon as Microsoft publishes them. This service model is suitable for pilot trials and the testing of Windows 10 feature upgrades, as well as for consumers, including developers who need to immediately work with the new features. After the latest update has gone through pilot delivery and testing, you pick what time it goes to the main rollout.
- Long-Term Servicing Channel (LTSC): Due to their functions, specialized devices, such as Personal Computers (PCs) that monitor medical equipment, point-of-sale devices, and Automated Teller Machines (ATMs), frequently need a more extended service period.
It is critical that these apps are kept as stable and safe as possible so that the user interface updates are up to date. The LTSC servicing model prohibits Windows 10 Enterprise LTSC devices from providing regular feature updates and only offers consistency updates to ensure that the protection of the system remains current. The LTSC is only available on the Long-Term Servicing Branch (LTSB) version of Windows 10 Enterprise.
Windows 10 Enterprise LTSC is a dedicated version of LTSC. LTSC is not intended for installation on any or all of an organization's PCs. This platform can only be used by special-purpose computers. A computer with Microsoft Office installed on it is, as a general rule, a general-purpose tool, usually used by an information worker, and is, therefore, best suited for the Semi-Annual Channel service.
We will now move on to understanding deployment rings.
You can create deployment rings by selecting a suitable service channel and then configuring the feature update and deferral values for the quality update. You may decide whether you need a machine test community that gets updates early on.
You may also choose to build a computer group that will receive updates quickly after release. You may want to allow the bulk of your remaining computers to receive updates after checking for them. You can achieve this by using deployment rings.
You can use the GPO settings to configure deployment rings for domain-joined devices running Active Directory Domain Services (AD DS) and use the Microsoft 365 Endpoint Manager Admin Center to configure deployment rings for non-domain-joined computers.
You can use the Microsoft 365 Endpoint Manager admin center to set deployment rings, as in the following screenshot. Details of this phase are beyond the scope of this book since they are not covered on the MD-100 Windows 10 exam:
At this point, you can decide which servicing channel is most appropriate for your organization.
You now know the difference between quality updates and feature updates. You have also learned what deployment rings are and which tools you can use in your environment. In the next section, we are going to learn how to configure the Windows Update options.
You will be able to customize the Windows Update settings after you have planned your deployment rings. You can do this either on a per-computer basis, using the Settings app, or by using GPOs to configure computers that are AD DS domain-joined.
To configure the Windows Update settings on an individual computer, follow these steps:
- Open Settings | Update & Security option. The following screenshot shows the window that will show up:
- Pause updates for 7 days: As of Windows 10 1903, this setting will pause Windows updates for 7 days, but before Windows 10 1903, this setting was set to a value of 35 days. So, when you click on the Pause updates for 7 days option, the following screen is displayed:
- Change active hours: These settings allow the user to decide the period that they expect their system to be in use.
- View update history: This setting provides link access to uninstall updates and access the recovery options.
- Advanced options: Under the Advanced options section, you can configure Update options, Update notifications, Choose when updates are installed, and other settings.
After you have configured and selected your appropriate servicing channel, you can optimize the download and delivery of the Windows updates on your network by enabling the Delivery Optimization feature in Windows 10. With this feature, you can decrease the internet traffic to the Windows Update servers. In the next section, you will learn about this delivery optimization feature.
Windows Update's Delivery Optimization feature allows updates to be implemented quicker than in previous Windows versions. After an update has been activated on one PC in your local network, all computers in the network get the same updates without having to download them directly from Microsoft.
If Delivery Optimization is enabled, your device can also submit parts of apps or updates that have been downloaded to other PCs locally or on the internet. Follow these steps to enable Delivery Optimization:
- Open Settings | Update & Security option.
- Select Delivery Optimization. The resultant window is as follows:
This method resembles typical peer-to-peer file sharing applications. Only partial file fragments of the update files are downloaded from any source, which accelerates the delivery and improves process protection. When you require distribution optimization, you can choose how your PC can receive notifications and apps from other PCs using the following options:
- PCs on my local network: Windows may attempt to download the updates or apps from other PCs on your local network.
- PCs on my local network and PCs on the internet: Windows will attempt to download from other PCs on your local network and will even search for internet PCs that are configured to share parts of updates and apps.
You can configure Delivery Optimization through Microsoft Intune or a GPO for domain-joined computers, but that is beyond the scope of this book.
In this section, you learned how to configure Windows Update settings, and you now know what the different settings are, such as Change active hours and Advanced options. Furthermore, you learned how Delivery Optimization is used to speed up the downloading of Windows updates.
In the next section, you will learn how you can check for updates on Windows 10.
- Open Settings | Update & Security option.
- Click on the Check for updates button on the Windows Update page, as shown:
Windows connects to Windows Update and gets a list of any updates that are pending, as you can see in the following screenshot, where an update is downloading:
If updates are available, they start downloading and installing automatically, even if you have configured settings in a GPO to only notify you of downloading and installing.
In the next section, we are going to learn how you can test and validate updates.
We have already discussed how to use a servicing channel to build the notion of deployment rings, along with deferment values. Using deployment rings helps you to get and check potential updates before continued deployment.
You can also consider using additional services to distribute updates to Windows, rather than relying solely on Windows Update servers. You can choose between the following deployment tools to spread the Windows updates in your organization:
- Windows Server Update Services (WSUS): This is a server role for Windows Server 2019. WSUS downloads updates from servers running Windows Update. You can then customize how it propagates these changes to your client computers. This gives you time to check the changes and verify them.
- Windows Update for Business: Essentially, you should think of this as similar to WSUS. Nevertheless, Microsoft retains it in the cloud and it is available for computers running Windows 10 Pro or Windows 10 Enterprise.
- Microsoft Endpoint Configuration Manager (MECM): If you already use MECM to handle deployment, you can use it to control updates as well. MECM offers you superior power and versatility for managing notifications. MECM was previously called System Center Configuration Center.
- Microsoft Endpoint Manager: Microsoft Endpoint Manager, formerly called Microsoft Intune, is a cloud-based device and an app-management platform. It is especially useful for the management of non-domain connected devices. With Microsoft Endpoint Manager (Intune), updates can be approved, deployed, and removed.
When testing updates, you must make sure that the latest updates work for all computers, their peripherals, and applications. This is particularly important when considering how feature updates are implemented.
You have now learned how to test and validate Windows updates with the use of deployment rings. You also learned which distribution mechanisms you can deploy Windows updates to your client computers with.
In the next section, you will learn how to troubleshoot updates through different methods.
So, to troubleshoot, in this case, you have to check that the two Windows Update services are running—namely, the Windows Update service and Background Intelligent Transfer Service.
You can find these services in the Services snap-in. Use the following steps to find that snap-in:
- Click on the Start icon.
- Type in Services.msc.
- Then, click on Services.
- The Services snap-in will open, as shown:
In the previous screenshot, you can see all the services that are available on Windows 10. To use the troubleshooter, you need two specific services from the list, which are pointed out in the previous screenshot. These are the Windows Update service and Background Intelligent Transfer Service (BITS).
The first is the Windows Update service, which checks the locally installed updates and what is available on the update servers. Also, the Windows Update service manages to download, install, and monitor the status of the updates. The following screenshot shows you the Windows Update service:
The second service is Background Intelligent Transfer Service. BITS is a supplementary service that manages the most effective transfer of the update files. For Windows Update to work correctly, both services should be running. The following screenshot shows you the second service:
If these two services are up and running, you can use the Windows Update troubleshooter. To find the troubleshooter, follow these steps:
- Open Settings | Update and Security option.
- Select the Troubleshoot tab and you will see the Run the troubleshooter button, as shown:
If you click Run the troubleshooter, Windows will attempt to check the necessary services and will try to connect to the Windows Update server. If Windows identifies a problem, suggestions will be made about how best to address those problems.
- Uninstall an update via Control Panel.
- Uninstall an update via Settings.
- Uninstall an update via Command Prompt.
You will learn how you can roll back Windows updates via these methods in the next section. Rolling back updates is necessary if an update is causing issues on your test workstation.
With the routine of daily updates being used as the method to keep devices stable and up to date, there can be times where an update creates issues, so you need to consider removing the update that is causing the issue. You may have experience with driver rollback; the same principle is used to roll back Windows updates.
Often, only a single Windows update needs to be removed. This function can be carried out in many ways, including via Control Panel, the Settings app, or Command Prompt. You will learn how to remove an update in the following sections.
We will first see how to use Control Panel in the next section.
Uninstalling an update via the Control Panel
- Click on the Start icon and type in Control Panel.
- Then, go to Control Panel | Programs | Programs and Features option.
- After that, click on View installed updates. The resultant window is shown in the following screenshot:
- Then, select an update that you want to uninstall from the list.
- After that, in the Uninstall an update dialog box, click Yes to confirm.
- Click Accept in the UAC dialog box if prompted.
- Finally, you will be prompted to restart your computer:
Once you have restarted your computer, the uninstalled update will have been removed from Windows 10.
Next, we will see how to use the Settings app to uninstall updates.
Uninstalling an update in Settings
- Go to Settings | Update & Security | Windows Update option.
- Then, click on the View update history option. The resultant window is shown in the following screenshot:
- After that, click on Uninstall updates at the top of the screen.
- From here, follow step 5 and onward from the Uninstalling an update via the Control Panel section to uninstall an update.
We will now look at using Command Prompt to remove an update in the next section.
Uninstalling an update via Command Prompt
Often, you will need to remove the same update from multiple devices. You can use the Command Prompt or PowerShell to script the command. After you have created the script, you can distribute it to various devices using Group Policy or PowerShell. Of course, you need to do this after you have checked the command-line tool on your test system.
To generate a list of the installed update packages on your device, open Command Prompt, or PowerShell and type in the following command:
wmic qfe list brief /format:table
By specifying the package number (from Microsoft Knowledge Base) of the update to be uninstalled, you can use the Windows Update Standalone Installer (WUSA) command-line tool (wusa.exe) to remove the update.
For the previous method, the syntax is as follows:
wusa.exe /uninstall /kb:<KBnumber>
Replace <KBnumber> with the actual KB number in the command if you wish to uninstall the update. The WMIC and WUSA command functions can be used in either PowerShell or Command Prompt.
In this section, you learned about the many methods you can use to identify and solve update issues with different techniques. You now know which services are essential for Windows Update to work correctly. Furthermore, you learned how you can uninstall and roll back updates in different ways.
You learned, throughout this chapter, that it's essential to keep your Windows 10 devices up to date. You learned what the term Windows as a service is and that there are three servicing channels that you can use in your organization. By using deployment rings in your organization, you can have control over the deployment of your updates. You can configure deployment rings with GPOs or with Microsoft Endpoint Manager.
You can now configure Windows Update on a machine via a GPO or Microsoft Endpoint Manager. You can also change the active hours, pause any updates, or view the update history. You now know about the various ways of finding and solving upgrade problems using different techniques, as well as which resources are important for Windows Update to update properly. Also, you now know how to uninstall and roll back updates in different ways.
You learned that you can configure delivery optimization to speed up the downloading of updates to client computers. Furthermore, you learned which distribution mechanism to use so that you can deploy Windows updates to your client computers.
- Can anyone opt into the Windows Insider Program?
- Is the Semi-Annual Channel (Targeted) a valid servicing channel?
- If you manually check for updates, can you install the updates at a later time?
- Is it necessary to test and validate updates before you deploy them to the rest of your organization?
- Are Background Tasks Infrastructure Service and Windows Update services critical for Windows updates?
- Overview of Windows as a service: https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview
- Build deployment rings for Windows 10 updates: https://docs.microsoft.com/en-us/windows/deployment/update/waas-deployment-rings-windows-10-updates
- Delivery Optimization for Windows 10 updates: https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization
- Windows Server Update Services (WSUS): https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus
- Deploy updates using Windows Update for business: https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb
- Learn about Configuration Manager: https://docs.microsoft.com/en-us/configmgr/core/understand/introduction
- Microsoft Intune is a Mobile Device Management (MDM) and Mobile Application Management (MAM) provider for your devices: https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune
- Description of the Windows Update Standalone Installer in Windows: https://support.microsoft.com/en-us/help/934307/description-of-the-windows-update-standalone-installer-in-windows