Patch Management and Windows 10
VIDEO Datto RMM: Patch Management Best Practices
Datto RMM technical experts Jon North and Aaron Engels explain why Patch Management is such a critical business offering. They cover what Windows updates and Patch Management look like in 2019 and beyond, with Cumulative Updates and Windows as a Service. They explain how you can leverage Datto RMM in the most efficient way for your business and offer their best practices suggestions to improve your current patching and updating strategies. Also refer to the Windows 7 to Windows 10 webinar recording to learn how you can control Feature Updates for Windows 10 with Datto RMM.
About Windows 10 updates
Windows 10 is managed very differently from the operating systems that came before it. Windows updates in particular are handled much more closely by Microsoft in Windows 10, and the changes become more pronounced with each update.
This document will list all Windows 10 versions and will go through some of the new update terminology used for Windows 10. It will list a few common scenarios users can expect when managing Windows 10 updates, and it will also show how to solve them.
|Version String||Nickname||Build Number||Release Date|
|1507||Threshold 1||10240||July 2015|
|1511||November Update||10586||November 2015|
|1607||Anniversary Update||14393||July 2016|
|1703||Creators Update||15063||March 2017|
|1709||Fall Creators Update||16299||October 2017|
|1803||April 2018 Update||17134||April 2018|
|1809||October 2018 Update||17763||November 2018|
|1903||May 2019 Update||18362||May 2019|
|1909||November 2019 Update||18363||November 2019|
|2004||May 2020 Update||19041||May 2020|
Users can expect to see the following terms used when handling Windows 10 updates:
|Windows Update for Business||From Microsoft: "Windows Update for Business is a collection of policy settings that control updates for devices that use Windows 10."
Refer to this Microsoft Support article.
|Quality Update||This is analogous to an old-style KB update or an update on "Update Tuesday". It is an update which requires rebooting the computer and which carries a number of small, quality-of-life improvements and security fixes. Older operating systems received lots of smaller updates, while Windows 10 receives update rollups which contain all of the smaller updates in a single unit.|
|Feature Update||This is analogous to a Service Pack. A Feature Update upgrades Windows 10's version, adding new features, interface changes and (often) new management considerations.
Windows 10 uses a dual-naming versioning system: a four-digit number (month and year) followed by a nickname. An example is version 1607, the Anniversary Update. Refer to Windows 10 versions.
Feature Updates are delivered as new operating systems over Electronic Software Distribution (ESD files). They are often large in size (more than 2 GB) and require a specific method of installation.
|Driver Update||These remain more or less as they always were. They are small bundles of software drivers installed as demanded by the system in response to hardware requirements.|
|Security Update||As of April 2017, Windows 10 (not Server 2016) will be receiving Security Updates. Security Updates are bundles of security-related patches released a few weeks before a Quality Update. Administrators who opt out of installing them will see the same patches included in that month’s Quality Update.|
|Update Rollup||These used to be used by Microsoft as a convenience to users setting up new devices with legacy operating systems. With Windows 10, updates are contained within one or two monthly update rollups instead of smaller individual update packs. This system removes a lot of granularity previously granted to System Administrators over individual patches. This is magnified by the cumulative nature of updates, where subsequent updates will include previously-missed patches.|
|Branch/Channel||A Windows 10 device can be put into one of two categories, called Channels or Branches, to determine how often it receives updates:
• Targeted Semi-Annual Channel – Devices receive both Quality and Feature updates on a mandatory basis. These updates are issued as soon as Microsoft clear them for release. Legacy Term: "Current Branch" (CB).
• Broad Semi-Annual Channel – Devices receive Quality updates on a mandatory basis. Feature updates can be deferred for up to a set time period. Some updates are issued 4 months after Targeted devices receive them and can be deferred for up to a year in total. Legacy Term: “Current Branch for Business” (CBB).
For instructions on switching channels, refer to Channel switching.
There is also Long-Term Servicing Channel (LTSC) Windows. It is a separate version that only receives Quality Updates and not Feature Updates. For more information, refer to this article.
|Defer||The term Microsoft use to delay the checking for and installation of Windows updates. The amount of time one can defer updates for depends on the version of Windows 10 the device is running. Deferring an update does not change its frequency. Updates will not show up in patch scans if they have been deferred until the deferral time has passed. If three updates are released in a month, users will receive three update notifications but they will do so once their device's deferral period has expired.|
|Patch||A dated term used to refer to a Windows update. Microsoft prefers the term "update".|
Microsoft Windows 10 receives multiple forms of updates, the most notable being Quality Updates and Feature Updates. The former is an umbrella term used to encompass updates for security and performance, while the latter refers to larger updates released every few months which upgrade Windows 10 to an entirely new version.
Windows 10 Feature Updates are generally referred to either by title (e.g. “Fall Creators Update”) or by their year-month version number (e.g. 1511, 1603, 1709, etc.), and they require installation outside of Patch Management. Datto RMM handles installation of these updates via one of two dedicated ComStore components.
- For either solution, at least 20 GB of storage space on the home drive and 1 GB of RAM (2 GB for x64) is required on the target device.
- For the Windows 10: Upgrade via ISO component, connectivity to https://storage.centrastage.net is required if you are downloading an image from Datto.
Windows 10: Upgrade or update to latest Feature Release
The first component is called Windows 10: Upgrade or update to latest Feature Release and works by downloading the latest version of Windows 10 directly from Microsoft for the specified endpoints. Details, such as OS language, architecture, and edition are preserved across the update process. Windows Workstation operating systems from Windows 7 SP1 can use this component to update to the latest build of Windows 10 automatically.
The strength of this component is its simplicity and lack of prerequisites. Provided the target device is capable of upgrading its Windows edition (it has a valid Windows license, a compatible edition, and enough storage space, as examples), the upgrade process will proceed without the administrator needing to provide any additional detail.
The weakness of this component is its lack of support for Educational editions of Windows, or Windows 10 Pro for Workstations. Furthermore, as the component uses Microsoft tools to download Windows 10, it will always download the latest version. Please note that there is no support for downloading the penultimate edition of Windows 10 from Microsoft.
NOTE Windows Server operating systems are not supported.
NOTE Windows 7 SP1 Enterprise cannot be updated using this component. Devices running Windows 7 SP1 Enterprise will need to use the Windows 10: Upgrade via ISO component detailed next.
Windows 10: Upgrade via ISO
The second component is called Windows 10: Upgrade via ISO. It works by downloading a disc image from a defined network location, extracting it, and running the setup executable silently. This is a more manual approach that relies on the presence of a disc image, but this freedom allows the administrator to specify exactly which version of Windows 10 to upgrade the device to, in ways that extend beyond the reach of the previous component.
As a courtesy, Datto provides Windows 10 Professional ISOs for the previous two versions, that is, the last two versions before the very latest, in both British and International English, for both architectures. The component can be configured to download the relevant ISO directly from Datto's servers and install from it (language and architecture will be intuited automatically). Alternatively, a network location can be given to a Windows 10 disc image stored elsewhere, perhaps internally.
NOTE Due to legal reasons, Datto is prohibited from serving non-Professional versions of Windows 10 (Enterprise, Education, etc.).
If the disc images served by Datto are not applicable to your deployment, the script can be given a path to a Windows 10 ISO stored on a network share, which it will then attempt to download and work from. Once the image has been downloaded, it will be processed in the same manner as a disc image downloaded from Datto would be. This is necessary for users wishing to upgrade non-English installations of Windows 10 and/or installations of editions not supported by either component natively.
NOTE If you are placing a Windows 10 ISO on a network share, the LocalSystem user must be able to read files in that location. Datto RMM components run as quick jobs execute as NT AUTHORITY\SYSTEM, which needs to be able to access the file remotely.
Other use cases
For more information on upgrading from Windows 7 to Windows 10 and the various considerations that must be made, please refer to Windows 7 to Windows 10 in-place upgrade by component. Here you will also find information on updating to Windows 10 by way of creating segmented ISO parts that are attached to components.
To switch channels, you can use Datto RMM's Windows Update policy. You can configure the policy to switch a device from Semi-Annual Channel (Targeted) to Semi-Annual Channel (Broad) and automatically defer Feature and Quality Updates. It also enables Windows Telemetry, as switching Channel requires this feature to be enabled. For more information, refer to Update Channel.
Due to the way in which Windows 10 Feature Updates are handled, they are not supported by Datto RMM Patch Management. The issue revolves around the different subsystems within Windows. While Quality Updates are handled by the Windows Update service, Feature Updates are instead managed by the Update Orchestrator Service, to which third-party programs have considerably less access.
Windows 10 Feature Updates cannot be installed via a Patch Management policy; however, they can be installed via one of the components available from the ComStore. See the previous section of this document for more information on the various component-based management options available.
To stop Feature Updates from appearing as part of patch scans, a Windows Update policy can be configured to defer Feature Updates for a set period, before which point they will not register to the device as applicable. Refer to Create a Windows Update policy. Administrators choosing to take this route should follow a model of installing Feature Updates on devices before the threshold hiding them from the device's patch scan is met.
This is due to the nature of Windows 10. The retroactivity of Windows 10 patches, where the updates of month 2 will include those missed in month 1, works alongside the cumulative nature of the patch rollups to ensure that devices receive all the patches Microsoft says the device needs. While it is possible to hide or skip Windows 10 patches entirely, administrators will find the patches they have blacklisted in month 1 re-appearing in month 2's update, making the process one of debatable usefulness.
Microsoft treats the Windows 10 Home version drastically differently from its Pro and Enterprise versions. Windows 10 Home does not have a group policy editor and only works on Current Branch (CB). For more information, refer to this article.
Datto RMM is an enterprise software product and does not formally support Home versions of Windows 10. Devices requiring enterprise-grade management must be running enterprise-grade software. For more information on supported operating systems, refer to Supported operating systems and Agent requirements.
Datto RMM and Windows 10 can both manage updates, and it can be tempting to view this shared responsibility as a conflict. However, the two are perfectly capable of working together smoothly. Administrators looking to utilize the best of both services should follow this model:
- Utilize a Patch Management policy for the purposes of patch scanning.
- If direct control over downloading and installing is preferred, also configure this policy for such purposes.
- Try to avoid disapproving patches. Any mandatory update Datto RMM does not install will instead be installed by Windows.
- Utilize a Windows Update policy to configure Update Channel, deferral settings, and Active Hours.
- Windows will use these settings to install patches that Datto RMM has not already handled.
By using this method, Datto RMM will intervene to install the updates it has been instructed to. Anything falling beyond this remit will be dealt with as Windows 10 sees fit.