deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into release-win11-2309

Browse Source
This commit is contained in:
Alma Jenks 2023-08-23 16:36:12 -07:00
commit 251b5bc1f9
27 changed files with 545 additions and 612 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
windows/deployment/update/PSFxWhitepaper.md
View File

@ -2,20 +2,23 @@
title: Windows Updates using forward and reverse differentials
description: A technique to produce compact software updates optimized for any origin and destination revision pair
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 08/21/2021
---
# Windows Updates using forward and reverse differentials
Windows 10 monthly quality updates are cumulative, containing all previously
Windows monthly quality updates are cumulative, containing all previously
released fixes to ensure consistency and simplicity. For an operating system
platform like Windows 10, which stays in support for multiple years, the size of
platform like Windows, which stays in support for multiple years, the size of
monthly quality updates can quickly grow large, thus directly impacting network
bandwidth consumption.
@ -23,8 +26,8 @@ Today, this problem is addressed by using express downloads, where differential
downloads for every changed file in the update are generated based on selected
historical revisions plus the base version. In this paper, we introduce a new
technique to build compact software update packages that are applicable to any
revision of the base version, and then describe how Windows 10 quality updates
uses this technique.
revision of the base version, and then describe how Windows quality updates
use this technique.
## General Terms
@ -65,45 +68,44 @@ numerous advantages:
- Efficient to install
- Redistributable
Historically, download sizes of Windows 10 quality updates (Windows 10, version 1803 and older supported versions of Windows 10) are optimized by using express download. Express download is optimized such that updating Windows 10 systems will download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version.
Historically, download sizes of Windows quality updates (Windows 10, version 1803 and older supported versions of Windows 10) were optimized by using express download. Express download is optimized such that updating Windows systems download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version.
For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as express download files) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as express download files) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device applying express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
The flip side of express download is that the size of PSF files can be very large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they are unable to leverage express updates to keep their fleet of devices running Windows 10 up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it is only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly.
The flip side of express download is that the size of PSF files can be large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they're unable to use express updates to keep their fleet of devices running Windows up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it's only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly.
In the following sections, we describe how Windows 10 quality updates will leverage this technique based on forward and reverse differentials for newer releases of Windows 10 and Windows Server to overcome the challenges with express downloads.
In the following sections, we describe how quality updates use this technique based on forward and reverse differentials for newer releases of Windows and Windows Server to overcome the challenges with express downloads.
## High-level Design
### Update packaging
Windows 10 quality update packages will contain forward differentials from quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM (∆N→RTM) for each file that has changed since RTM. By using the RTM version as the baseline, we ensure that all devices will have an identical payload. Update package metadata, content manifests, and forward and reverse differentials will be packaged into a cabinet file (.cab). This .cab file, and the applicability logic, will also be wrapped in Microsoft Standalone Update (.msu) format.
Windows quality update packages contain forward differentials from quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM (∆N→RTM) for each file that has changed since RTM. By using the RTM version as the baseline, we ensure that all devices have an identical payload. Update package metadata, content manifests, and forward and reverse differentials are packaged into a cabinet file (.cab). This .cab file, and the applicability logic, will also be wrapped in Microsoft Standalone Update (.msu) format.
There can be cases where new files are added to the system during servicing. These files will not have RTM baselines, thus forward and reverse differentials cannot be used. In these scenarios, null differentials will be used to handle servicing. Null differentials are the slightly compressed and optimized version of the full binaries. Update packages can have either forward or reverse differentials, or null differential of any given binary in them. The following image symbolizes the content of a Windows 10 quality update installer:
There can be cases where new files are added to the system during servicing. These files won't have RTM baselines, thus forward and reverse differentials can't be used. In these scenarios, null differentials are used to handle servicing. Null differentials are the slightly compressed and optimized version of the full binaries. Update packages can have either forward or reverse differentials, or null differential of any given binary in them. The following image symbolizes the content of a Windows quality update installer:
![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containing four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.).](images/PSF4.png)
### Hydration and installation
Once the usual applicability checks are performed on the update package and are determined to be applicable, the Windows component servicing infrastructure will hydrate the full files during pre-installation and then proceed with the usual installation process.
Once the usual applicability checks are performed on the update package and are determined to be applicable, the Windows component servicing infrastructure hydrates the full files during preinstallation and then proceeds with the usual installation process.
Below is a high-level sequence of activities that the component servicing infrastructure will run in a transaction to complete installation of the update:
Below is a high-level sequence of activities that the component servicing infrastructure runs in a transaction to complete installation of the update:
- Identify all files that are required to install the update.
- Hydrate each of necessary files using current version (V<sub>N</sub>) of the file, reverse differential (V<sub>N</sub>--->RTM) of the file back to quality update RTM/base version and forward differential (V<sub>RTM</sub>--->R) from feature update RTM/base version to the target version. Also, use null differential hydration to hydrate null compressed files.
- Stage the hydrated files (full file), forward differentials (under f folder) and reverse differentials (under r folder) or null compressed files (under n folder) in the component store (%windir%\\WinSxS folder).
- Stage the hydrated files (full file), forward differentials (under `f` folder) and reverse differentials (under `r` folder) or null compressed files (under `n` folder) in the component store (%windir%\\WinSxS folder).
- Resolve any dependencies and install components.
- Clean up older state (V<sub>N-1</sub>); the previous state V<sub>N</sub> is retained for uninstallation and restoration or repair.
### **Resilient Hydration**
To ensure resiliency against component store corruption or missing files that could occur due to susceptibility of certain types of hardware to file system corruption, a corruption repair service has been traditionally used to recover the component store automatically (“automatic corruption repair”) or on demand (“manual corruption repair”) using an online or local repair source. This service will continue to offer the ability to repair and recover content for
hydration and successfully install an update, if needed.
To ensure resiliency against component store corruption or missing files that could occur due to susceptibility of certain types of hardware to file system corruption, a corruption repair service has been traditionally used to recover the component store automatically (automatic corruption repair) or on demand (manual corruption repair) using an online or local repair source. This service will continue to offer the ability to repair and recover content for hydration and successfully install an update, if needed.
When corruption is detected during update operations, automatic corruption repair will start as usual and use the Baseless Patch Storage File published to Windows Update for each update to fix corrupted manifests, binary differentials, or hydrated or full files. Baseless patch storage files will contain reverse and forward differentials and full files for each updated component. Integrity of the repair files will be hash verified.
When corruption is detected during update operations, automatic corruption repair starts as usual and uses the Baseless Patch Storage File published to Windows Update for each update to fix corrupted manifests, binary differentials, or hydrated or full files. Baseless patch storage files contain reverse and forward differentials and full files for each updated component. Integrity of the repair files will be hash verified.
Corruption repair will use the component manifest to detect missing files and get hashes for corruption detection. During update installation, new registry flags for each differential staged on the machine will be set. When automatic corruption repair runs, it will scan hydrated files using the manifest and differential files using the flags. If the differential cannot be found or verified, it will be added to the list of corruptions to repair.
Corruption repair uses the component manifest to detect missing files and get hashes for corruption detection. During update installation, new registry flags for each differential staged on the machine are set. When automatic corruption repair runs, it scans hydrated files using the manifest and differential files using the flags. If the differential can't be found or verified, it's added to the list of corruptions to repair.
### Lazy automatic corruption repair
“Lazy automatic corruption repair” runs during update operations to detect corrupted binaries and differentials. While applying an update, if hydration of any file fails, "lazy" automatic corruption repair automatically starts, identifies the corrupted binary or differential file, and then adds it to the corruption list. Later, the update operation continues as far as it can go, so that "lazy" automatic corruption repair can collect as many corrupted files to fix as possible. At the end of the hydration section, the update fails, and automatic corruption repair starts. Automatic corruption repair runs as usual and at the end of its operation, adds the corruption list generated by "lazy" automatic corruption repair on top of the new list to repair. Automatic corruption repair then repairs the files on the corruption list and installation of the update will succeed on the next attempt.
"Lazy automatic corruption repair" runs during update operations to detect corrupted binaries and differentials. While applying an update, if hydration of any file fails, "lazy" automatic corruption repair automatically starts, identifies the corrupted binary or differential file, and then adds it to the corruption list. Later, the update operation continues as far as it can go, so that "lazy" automatic corruption repair can collect as many corrupted files to fix as possible. At the end of the hydration section, the update fails, and automatic corruption repair starts. Automatic corruption repair runs as usual and at the end of its operation, adds the corruption list generated by "lazy" automatic corruption repair on top of the new list to repair. Automatic corruption repair then repairs the files on the corruption list and installation of the update will succeed on the next attempt.

14
windows/deployment/update/eval-infra-tools.md
View File

@ -1,23 +1,21 @@
---
title: Evaluate infrastructure and tools
description: Steps to make sure your infrastructure is ready to deploy updates
description: Review the steps to ensure your infrastructure is ready to deploy updates to clients in your organization.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-updates
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Evaluate infrastructure and tools
**Applies to**
- Windows 10
- Windows 11
Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
## Infrastructure

121
windows/deployment/update/feature-update-user-install.md
View File

@ -1,20 +1,21 @@
---
title: Best practices - deploy feature updates for user-initiated installations
title: Best practices - user-initiated feature update installation
description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
ms.date: 07/10/2018
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.topic: best-practice
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/mem/configmgr/ > Microsoft Configuration Manager</a>
ms.date: 07/10/2018
---
# Deploy feature updates for user-initiated installations (during a fixed service window)
**Applies to**: Windows 10
Use the following steps to deploy a feature update for a user-initiated installation.
## Get ready to deploy feature updates
@ -22,7 +23,7 @@ Use the following steps to deploy a feature update for a user-initiated installa
### Step 1: Enable Peer Cache
Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache.
[Enable Configuration Manager client in full OS to share content](/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update).
[Enable Configuration Manager client in full OS to share content](/mem/configmgr/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update).
### Step 2: Override the default Windows setup priority (Windows 10, version 1709 and later)
@ -35,7 +36,7 @@ If you're deploying **Feature update to Windows 10, version 1709** or later, by
Priority=Normal
```
You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices.
You can use the new [Run Scripts](/mem/configmgr/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices.
```
#Parameters
@ -80,7 +81,7 @@ or documentation, even if Microsoft has been advised of the possibility of such
```
>[!NOTE]
>If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/mem/configmgr/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
## Manually deploy feature updates in a user-initiated installation
@ -89,77 +90,73 @@ The following sections provide the steps to manually deploy a feature update.
### Step 1: Specify search criteria for feature updates
There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying a feature update is to identify the feature updates that you want to deploy.
1. In the Configuration Manager console, click **Software Library**.
2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed.
1. In the Configuration Manager console, select **Software Library**.
2. In the Software Library workspace, expand **Windows 10 Servicing**, and select **All Windows 10 Updates**. The synchronized feature updates are displayed.
3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps:
- In the **search** text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update.
- Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, **Required** is greater than or equal to 1, and **Language** equals English.
- In the **search** text box, type a search string that filters for the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update.
- Select **Add Criteria**, select the criteria that you want to use to filter software updates, select **Add**, and then provide the values for the criteria. For example, Title contains 1803, **Required** is greater than or equal to 1, and **Language** equals English.
4. Save the search for future use.
### Step 2: Download the content for the feature update(s)
Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment.
Before you deploy the feature updates, you can download the content as a separate step. Do this download so you can verify that the content is available on the distribution points before you deploy the feature updates. Downloading first helps you avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment.
1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**.
2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**.
2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right-click, and select **Download**.
The **Download Software Updates Wizard** opens.
3. On the **Deployment Package** page, configure the following settings:
**Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings:
- **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters.
- **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It's limited to 50 characters.
- **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters.
- **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page.
- **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or select **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page.
> [!IMPORTANT]
> - The deployment package source location that you specify cannot be used by another software deployment package.
> - The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files.
> - You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location.
Select **Next**.
4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then select **Next**. For more information about distribution points, see [Distribution point configurations](/mem/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
>[!NOTE]
>The deployment package source location that you specify cannot be used by another software deployment package.
>[!IMPORTANT]
>The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files.
>[!IMPORTANT]
>You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location.
Click **Next**.
4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
>[!NOTE]
>The Distribution Points page is available only when you create a new software update deployment package.
> The Distribution Points page is available only when you create a new software update deployment package.
5. On the **Distribution Settings** page, specify the following settings:
- **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority.
- **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
- **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there's no backlog, the package processes immediately regardless of its priority. By default, packages are sent using Medium priority.
- **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content isn't available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/mem/configmgr/core/plan-design/hierarchy/content-source-location-scenarios).
- **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options:
- **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point.
- **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point.
- **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting.
- **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This setting is the default.
For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
Click **Next**.
For more information about prestaging content to distribution points, see [Use Prestaged content](/mem/configmgr/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
Select **Next**.
6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options:
- **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting.
- **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access.
- **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard doesn't have Internet access.
>[!NOTE]
>When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
> When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
Click **Next**.
7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page.
8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates.
9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click **Close**.
Select **Next**.
7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then select **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page.
8. On the **Summary** page, verify the settings that you selected in the wizard, and then select **Next** to download the software updates.
9. On the **Completion** page, verify that the software updates were successfully downloaded, and then select **Close**.
#### To monitor content status
1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console.
2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**.
1. To monitor the content status for the feature updates, select **Monitoring** in the Configuration Manager console.
2. In the Monitoring workspace, expand **Distribution Status**, and then select **Content Status**.
3. Select the feature update package that you previously identified to download the feature updates.
4. On the **Home** tab, in the Content group, click **View Status**.
4. On the **Home** tab, in the Content group, select **View Status**.
### Step 3: Deploy the feature update(s)
After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s).
1. In the Configuration Manager console, click **Software Library**.
2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**.
3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**.
1. In the Configuration Manager console, select **Software Library**.
2. In the Software Library workspace, expand **Windows 10 Servicing**, and select **All Windows 10 Updates**.
3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right select, and select **Deploy**.
The **Deploy Software Updates Wizard** opens.
4. On the General page, configure the following settings:
@ -178,7 +175,7 @@ After you determine which feature updates you intend to deploy, you can manually
>[!NOTE]
>A software update group deployed as **Required** will be downloaded in background and honor BITS settings, if configured.
- **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when **Type of deployment** is set to **Required**.
- **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that don't require any software updates in the deployment aren't started. By default, this setting isn't enabled and is available only when **Type of deployment** is set to **Required**.
>[!WARNING]
>Before you can use this option, computers and networks must be configured for Wake On LAN.
@ -189,7 +186,7 @@ After you determine which feature updates you intend to deploy, you can manually
- **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console.
- **Software available time**: Select **Specific time** to specify when the software updates will be available to clients:
- **Specific time**: Select this setting to make the feature update in the deployment available to clients at a specific date and time. Specify a date and time that corresponds with the start of your fixed servicing window. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the feature update in the deployment is not available for installation until after the specified date and time are reached and the required content has been downloaded.
- **Specific time**: Select this setting to make the feature update in the deployment available to clients at a specific date and time. Specify a date and time that corresponds with the start of your fixed servicing window. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the feature update in the deployment isn't available for installation until after the specified date and time are reached and the required content has been downloaded.
- **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment.
@ -198,7 +195,7 @@ After you determine which feature updates you intend to deploy, you can manually
- **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. However, for the purposes of the fixed servicing window, set the installation deadline date and time to a future value, well beyond the fixed servicing window.
Required deployments for software updates can benefit from functionality called advanced download. When the software available time is reached, clients will start downloading the content based on a randomized time. The feature update will not be displayed in Software Center for installation until the content is fully downloaded. This ensures that the feature update installation will start immediately when initiated.
Required deployments for software updates can benefit from functionality called advanced download. When the software available time is reached, clients start downloading the content based on a randomized time. The feature update won't be displayed in Software Center for installation until the content is fully downloaded. This ensures that the feature update installation starts immediately when initiated.
7. On the User Experience page, configure the following settings:
- **User notifications**: Specify **Display in Software Center and show all notifications**.
@ -214,25 +211,25 @@ After you determine which feature updates you intend to deploy, you can manually
>[!NOTE]
>When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window.
- **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window.
8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page.
8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page.
>[!NOTE]
>You can review recent software updates alerts from the **Software Updates** node in the **Software Library** workspace.
9. On the Download Settings page, configure the following settings:
- Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location.
- Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point.
- **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache).
- **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content.
- Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates isn't available on a preferred distribution point.
- **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache).
- **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates aren't available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content.
- Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection.
>[!NOTE]
>Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting.
11. Click **Next** to deploy the feature update(s).
>Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/mem/configmgr/core/plan-design/hierarchy/content-source-location-scenarios).
10. On the Summary page, review the settings. To save the settings to a deployment template, select **Save As Template**, enter a name and select the settings that you want to include in the template, and then select **Save**. To change a configured setting, select the associated wizard page and change the setting.
11. Select **Next** to deploy the feature update(s).
### Step 4: Monitor the deployment status
After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status:
1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**.
2. Click the software update group or software update for which you want to monitor the deployment status.
3. On the **Home** tab, in the **Deployment** group, click **View Status**.
2. Select the software update group or software update for which you want to monitor the deployment status.
3. On the **Home** tab, in the **Deployment** group, select **View Status**.

30
windows/deployment/update/fod-and-lang-packs.md
View File

@ -1,21 +1,26 @@
---
title: Make FoD and language packs available for WSUS/Configuration Manager
description: Learn how to make FoD and language packs available when you're using WSUS/Configuration Manager.
title: FoD and language packs for WSUS and Configuration Manager
description: Learn how to make FoD and language packs available to clients when you're using WSUS or Configuration Manager.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
ms.date: 03/13/2019
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/mem/configmgr/ > Microsoft Configuration Manager</a>
- ✅ <a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a>
ms.date: 03/13/2019
---
# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
**Applies to**
This article describes how to make Features on Demand and language packs available when you're using WSUS or Configuration Manager for specific versions of Windows.
- Windows 10
- Windows 11
## Version information for Features on Demand and language packs
In Windows 10 version 21H2 and later, non-Administrator user accounts can add both a display language and its corresponding language features.
@ -23,10 +28,15 @@ As of Windows 10 version 1709, you can't use Windows Server Update Services (WSU
The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions does not influence how language packs are acquired.
In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions doesn't influence how language packs are acquired.
In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It's currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location.
For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
For all OS versions, changing the **Specify settings for optional component installation and component repair** policy doesn't affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/).
## More resources
- [WSUS documentation](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus)
- [Configuration Manager documentation](/mem/configmgr/)

48
windows/deployment/update/get-started-updates-channels-tools.md
View File

@ -1,23 +1,22 @@
---
title: Windows client updates, channels, and tools
description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them
description: Brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Windows client updates, channels, and tools
**Applies to**
- Windows 10
- Windows 11
This article provides a brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them.
## How Windows updates work
There are four phases to the Windows update process:
@ -26,18 +25,18 @@ There are four phases to the Windows update process:
administrator. This process is invisible to the user.
- **Download:** Once the device determines that an update is available, it begins downloading the update. The download process is also invisible to the user. With feature updates, download happens in multiple
sequential phases.
- **Install:** After the update is downloaded, depending on the devices Windows Update settings, the update is installed on the system.
- **Install:** After the update is downloaded, depending on the device's Windows Update settings, the update is installed on the system.
- **Commit and restart:** Once installed, the device usually (but not always) must be restarted in order to complete the installation and begin using the update. Before that happens, a device is still running the previous
version of the software.
## Types of updates
We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*.
We include information here about many different update types you hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*.
- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
- **Quality updates:** Quality updates deliver both security and non-security fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
- **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they're delivered frequently (rather than every 3-5 years), they're easier to manage.
- **Quality updates:** Quality updates deliver both security and nonsecurity fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They're typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates aren't necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically doesn't have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
- **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they're installed or not.
- **Microsoft product updates:** These update other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools.
@ -50,13 +49,14 @@ The first step of controlling when and how devices install updates is assigning
### General Availability Channel
In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel installs a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
### Windows Insider Program for Business
Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel:
Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are options within the Windows Insider Program for Business channel:
- Windows Insider Canary
- Windows Insider Dev
- Windows Insider Beta
- Windows Insider Release Preview
@ -73,12 +73,12 @@ The General Availability Channel is the default servicing channel for all Window
| Edition | General Availability Channel | Insider Program | Long-Term Servicing Channel |
| --- | --- | --- | --- |
| Home | ![yes.](images/checkmark.png)|![no](images/crossmark.png) | ![no](images/crossmark.png)|
| Pro | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)|
| Enterprise | ![yes.](images/checkmark.png) |![yes](images/checkmark.png) | ![no](images/crossmark.png)|
| Enterprise LTSC | ![no.](images/crossmark.png) |![no](images/crossmark.png) | ![yes](images/checkmark.png)|
| Pro Education | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)|
| Education | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)|
| Home | Yes|No | No|
| Pro | Yes | Yes | No|
| Enterprise | Yes |Yes | No|
| Enterprise LTSC | No |No | Yes|
| Pro Education | Yes | Yes | No|
| Education | Yes | Yes | No|
## Servicing tools
@ -104,4 +104,4 @@ Your individual devices connect to Microsoft endpoints directly to get the updat
### Hybrid scenarios
It is also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.
It's also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.

69
windows/deployment/update/how-windows-update-works.md
View File

@ -1,47 +1,38 @@
---
title: How Windows Update works
description: In this article, learn about the process Windows Update uses to download and install updates on a Windows client devices.
description: In this article, learn about the process Windows Update uses to download and install updates on Windows client devices.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# How Windows Update works
**Applies to**
- Windows 10
- Windows 11
The Windows Update workflow has four core areas of functionality:
### Scan
1. Orchestrator schedules the scan.
2. Orchestrator verifies admin approvals and policies for download.
### Download
1. Orchestrator starts downloads.
2. Windows Update downloads manifest files and provides them to the arbiter.
3. The arbiter evaluates the manifest and tells the Windows Update client to download files.
4. Windows Update client downloads files in a temporary folder.
5. The arbiter stages the downloaded files.
### Install
1. Orchestrator starts the installation.
2. The arbiter calls the installer to install the package.
### Commit
1. Orchestrator starts a restart.
2. The arbiter finalizes before the restart.
1. Scan
1. Orchestrator schedules the scan.
1. Orchestrator verifies admin approvals and policies for download.
1. Download
1. Orchestrator starts downloads.
1. Windows Update downloads manifest files and provides them to the arbiter.
1. The arbiter evaluates the manifest and tells the Windows Update client to download files.
1. Windows Update client downloads files in a temporary folder.
1. The arbiter stages the downloaded files.
1. Install
1. Orchestrator starts the installation.
1. The arbiter calls the installer to install the package.
1. Commit
1. Orchestrator starts a restart.
1. The arbiter finalizes before the restart.
## How updating works
@ -52,7 +43,7 @@ During the updating process, the Windows Update Orchestrator operates in the bac
The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.
When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies.
When devices check for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies.
Make sure you're familiar with the following terminology related to Windows Update scan:
@ -61,8 +52,8 @@ Make sure you're familiar with the following terminology related to Windows Upda
|Update|We use this term to mean several different things, but in this context it's the actual updated code or change.|
|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.|
|Child update|Leaf update that's bundled by another update; contains payload.|
|Detector update|A special "update" that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.|
|Category update|A special "detectoid" that has an **IsInstalled** rule that is always true. Used for grouping updates and to allow the device to filter updates. |
|Detector update|A special update that contains `IsInstalled` applicability rule only and no payload. Used for prerequisite evaluation.|
|Category update|A special `detectoid` that has an `IsInstalled` rule that is always true. Used for grouping updates and allowing the device to filter updates. |
|Full scan|Scan with empty datastore.|
|Delta scan|Scan with updates from previous scan already cached in datastore.|
|Online scan|Scan that uses the network and to check an update server. |
@ -80,7 +71,7 @@ Windows Update does the following actions when it runs a scan.
#### Starts the scan for updates
When users start scanning in Windows Update through the Settings panel, the following occurs:
- The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates.
- The scan first generates a `ComApi` message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates.
- "Agent" messages: queueing the scan, then actually starting the work:
- Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers.
- Windows Update uses the thread ID filtering to concentrate on one particular task.
@ -88,9 +79,9 @@ When users start scanning in Windows Update through the Settings panel, the foll
![Windows Update scan log 1.](images/update-scan-log-1.png)
#### Proxy Behavior
For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP]: SimpleAuth Web Service | Microsoft Docs, [MS-WUSP]: Client Web Service | Microsoft Docs):
For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP: SimpleAuth Web Service](/openspecs/windows_protocols/ms-wusp/61235469-6c2f-4c08-9749-e35d52c16899), [MS-WUSP: Client Web Service](/openspecs/windows_protocols/ms-wusp/69093c08-da97-445e-a944-af0bef36e4ec)):
- System proxy is attempted (set using the `netsh` command).
- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it is the logged-in user).
- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it's the logged-in user).
> [!Note]
> For intranet WSUS update service URLs, we provide an option via Windows Update policy to select the proxy behavior.
@ -130,13 +121,13 @@ Common update failure is caused due to network issues. To find the root of the i
> [!NOTE]
> If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service.
- On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service cant scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since its locally configured.
- On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can't scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it's locally configured.
![Windows Update scan log 3.](images/update-scan-log-3.png)
## Downloading updates
![Windows Update download step.](images/update-download-step.png)
Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.
Once the Windows Update Orchestrator determines which updates apply to your computer, it begins downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.
To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses Delivery Optimization, which downloads updates and reduces bandwidth consumption.

18
windows/deployment/update/media-dynamic-update.md
View File

@ -1,24 +1,22 @@
---
title: Update Windows installation media with Dynamic Update
description: Learn how to deploy feature updates to your mission critical devices
description: Learn how to acquire and apply Dynamic Update packages to existing Windows images prior to deployment
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 07/17/2023
ms.reviewer: stevedia
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 07/17/2023
---
# Update Windows installation media with Dynamic Update
**Applies to**
- Windows 10
- Windows 11
This article explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
Volume-licensed media is available for each release of Windows in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.

33
windows/deployment/update/optional-content.md
View File

@ -1,20 +1,21 @@
---
title: Migrating and acquiring optional Windows content
description: Keep language resources and Features on Demand during operating system updates
description: How to keep language resources and Features on Demand during operating system updates for your organization.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 03/15/2023
---
# Migrating and acquiring optional Windows content during updates
***(Applies to: Windows 11 & Windows 10)***
This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term.
When you update the operating system, it's critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a *media-based* or *task-sequence-based* update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a *servicing-based* update).
@ -43,7 +44,7 @@ Windows Setup needs access to the optional content. Since optional content isn't
### User-initiated feature acquisition failure
The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits **Settings**, and attempts to install a second language, more language experience features, or other optional content. Again, since these features aren't in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can't be found, users are frustrated, and another help desk call could result. This pain point is sometimes referred to as *failure to acquire optional content*.
The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits **Settings**, and attempts to install a second language, more language experience features, or other optional content. Again, since these features aren't in the operating system, the packages need to be acquired. For a typical user with internet access, Windows acquires the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can't be found, users are frustrated, and another help desk call could result. This pain point is sometimes referred to as *failure to acquire optional content*.
## Options for acquiring optional content
@ -77,7 +78,7 @@ Consider moving to Windows Update for Business. Not only will the optional conte
Starting in March 2023, UUP has been integrated with WSUS and Configuration Manager to bring the same optional content and acquisition benefits of Windows Update to on-premises management solutions. For example:
- FODs and languages will automatically migrate for devices that perform an in-place update using an approved Windows 11, version 22H2 client feature update from WSUS. Similarly, updates such as the combined cumulative update, Setup updates, and Safe OS updates will be included and current based on the month that the feature update was approved.
- FODs and languages will automatically migrate for devices that perform an in-place update using an approved Windows 11, version 22H2 client feature update from WSUS. Similarly, updates such as the combined cumulative update, Setup updates, and Safe OS updates are included and current based on the month that the feature update was approved.
- Devices that upgrade using a local Windows image but use WSUS or Configuration Manager for approving the combined cumulative update will benefit by having support for optional content acquisition in the updated Windows OS, as well as OS self-healing.
@ -94,9 +95,9 @@ If you're not ready to move to Windows Update, another option is to enable Dynam
- **Latest cumulative update**: Installs the latest cumulative quality update.
- **Driver updates**: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and meant specifically for Dynamic Update.
In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device isn't connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with `setupconfig.ini`. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
In addition to these updates for the new operating system, Dynamic Update acquires optional content during the update process to ensure that the device has this content present when the update completes. So, although the device isn't connected to Windows Update, it fetches content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with `setupconfig.ini`. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will reboot again for the latest cumulative update since it wasn't available during the feature update.
Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device reboots again for the latest cumulative update since it wasn't available during the feature update.
One further consideration when using Dynamic Update is the effect on your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Setup downloads Dynamic Update content using Delivery Optimization when available. For devices that aren't connected to the internet, a subset of the Dynamic Update content is available by using WSUS and the Microsoft catalog.
@ -120,7 +121,7 @@ The benefit of this option is that the Windows image can include those additiona
A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using `setupconfig.ini`. For more information, see [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview).
When Setup runs, it will inject these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages can't be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cabs from the LPLIP ISO. <!--Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn't a fatal error. Starting with Windows 10, version 1903,--> We treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don't migrate FOD and languages (unless Dynamic Update is enabled).
When Setup runs, it injects these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages can't be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cab files from the LPLIP ISO. <!--Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn't a fatal error. Starting with Windows 10, version 1903,--> We treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don't migrate FOD and languages (unless Dynamic Update is enabled).
This approach has some interesting benefits. The original Windows image doesn't need to be modified, possibly saving time and scripting.
@ -134,12 +135,12 @@ Several of the options address ways to address optional content migration issues
- The file path to the alternate source must be a fully qualified path; multiple locations can be separated by a semicolon.
- This setting doesn't support installing language packs from an alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
- If this setting isn't configured or disabled, files will be downloaded from the default Windows Update location, for example Windows Update for Business or WSUS.
- If this setting isn't configured or disabled, files are downloaded from the default Windows Update location, for example Windows Update for Business or WSUS.
For more information, see [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source).
## Learn more
## More resources
For more information about the Unified Update Platform and the approaches outlined in this article, see the following resources:
@ -156,11 +157,11 @@ For more information about the Unified Update Platform and the approaches outlin
## Sample scripts
Options 4 and 6 involve the most scripting. Sample scripts for Option 4 already exist, so we'll look at sample scripts for [Option 6](#option-6-install-optional-content-after-deployment): Install Optional Content after Deployment.
Options 4 and 6 involve the most scripting. Sample scripts for Option 4 already exist, so let's look at sample scripts for [Option 6](#option-6-install-optional-content-after-deployment): Install Optional Content after Deployment.
### Creating an optional content repository
To get started, we'll build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We'll configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository.
To get started, we build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository.
@ -573,7 +574,7 @@ Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction ignore | Out-Null
### Saving optional content in the source operating system
To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This action will limit the files to copy.
To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This action limits the files to copy.
```powershell

24
windows/deployment/update/plan-define-readiness.md
View File

@ -1,26 +1,26 @@
---
title: Define readiness criteria
description: Identify important roles and figure out how to classify apps
description: Identify important roles and figure out how to classify apps so you can plan and manage your deployment
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-updates
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Define readiness criteria
**Applies to**
- Windows 10
- Windows 11
Planning and managing a deployment involves a variety of distinct activities and roles best suited to each activity. This article describes how to identify important roles and figure out how to classify apps.
## Figure out roles and personnel
Planning and managing a deployment involves a variety of distinct activities and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
### Process manager
@ -50,13 +50,9 @@ This table sketches out one view of the other roles, with their responsibilities
|Stakeholders | Represent groups affected by updates, for example, heads of finance, end-user services, or change management | Key decision maker for a business unit or department | Plan, pilot deployment, broad deployment |
## Set criteria for rating apps
Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but arent critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This process will help you understand how best to deploy updates and how to resolve any issues that could arise.
Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren't critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This process will help you understand how best to deploy updates and how to resolve any issues that could arise.
In the Prepare phase, you'll apply the criteria you define now to every app in your organization.
@ -78,7 +74,7 @@ Here's an example priority rating system; the specifics could vary for your orga
|---------|---------|
|1 | Any issues or risks identified must be investigated and resolved as soon as possible. |
|2 | Start investigating risks and issues within two business days and fix them *during* the current deployment cycle. |
|3 | Start investigating risks and issues within 10 business days. You dont have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle. |
|3 | Start investigating risks and issues within 10 business days. You don't have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle. |
|4 | Start investigating risks and issues within 20 business days. You can fix them in the current or any future development cycle. |
Related to priority, but distinct, is the concept of severity. You should define a severity ranking as well, based on how you feel a problem with an app should affect the deployment cycle.

34
windows/deployment/update/plan-define-strategy.md
View File

@ -1,45 +1,43 @@
---
title: Define update strategy
description: Two examples of a calendar-based approach to consistent update installation
description: Example of using a calendar-based approach to achieve consistent update installation in your organization.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Define update strategy with a calendar
**Applies to**
- Windows 10
- Windows 11
Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices.
Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an extra 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows release cycles, update mechanisms, and relevant tools to support this model. For more information about the Windows lifecycle, see [Windows lifecycle FAQ](/lifecycle/faq/windows).
We encourage you to deploy every available release and maintain a fast cadence for some portion of your environment. We also recognize that you might have a large number of devices, and a need for little or no disruption. So, you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly.
We encourage you to deploy every available release and maintain a fast cadence for some portion of your environment. We also recognize that you might have a large number of devices, and a need for little or no disruption. The lifecycle cadence lets you allow some portion of your environment to move faster while the majority can move less quickly.
## Calendar approaches
You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they'll stop receiving the monthly security updates.
You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they stop receiving the monthly security updates once a version is out of support.
### Annual
Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Configuration Manager and Microsoft 365 Apps release cycles:
## Annual approach
Here's a calendar showing an example schedule that applies one Windows feature update per calendar year, aligned with Microsoft Configuration Manager and Microsoft 365 Apps release cycles:
[ ![Calendar showing an annual update cadence.](images/annual-calendar.png) ](images/annual-calendar.png#lightbox)
This approach provides approximately 12 months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.
This approach provides approximately 12 months of use from each feature update before the next update is due to be installed by aligning to the Windows H2 feature update.
This cadence might be most suitable for you if any of these conditions apply:
- You're just starting your journey with the Windows 10 servicing process. If you're unfamiliar with new processes that support Windows 10 servicing, moving from a project happening once every three to five years to a twice-a-year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
- You're just starting your journey with the Windows servicing process. If you're unfamiliar with new processes that support Windows servicing, moving from a project happening once every three to five years to a feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
- You want to wait and see how successful other companies are at adopting a Windows 10 feature update.
- You want to wait and see how successful other companies are at adopting a Windows feature update.
- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get extra servicing for Windows 10 (30 months of servicing compared to 18 months).
- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows serviced in case business priorities change.

38
windows/deployment/update/plan-determine-app-readiness.md
View File

@ -1,37 +1,35 @@
---
title: Determine application readiness
manager: aaroncz
description: How to test your apps to know which need attention prior to deploying an update
description: How to test your apps to identify which need attention prior to deploying an update in your organization.
ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
ms.technology: itpro-updates
manager: aaroncz
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Determine application readiness
**Applies to**
- Windows 10
- Windows 11
Before you deploy a Windows client update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps](plan-define-readiness.md) with respect to their criticality in your organization.
## Validation methods
You can choose from a variety of methods to validate apps. Exactly which ones to use will depend on the specifics of your environment.
You can choose from various methods to validate apps. Exactly which ones to use depends on the specifics of your environment.
|Validation method |Description |
|---------|---------|
|Full regression | A full quality assurance probing. Staff who know the application well and can validate its core functionality should do this. |
|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application theyre validating. |
|Automated testing | Software performs tests automatically. The software will let you know whether the tests have passed or failed, and will provide detailed reporting for you automatically. |
|Test in pilot | You pre-select users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. |
|Reactive response | Applications are validated in late pilot, and no specific users are selected. These applications normally aren't installed on many devices and arent handled by enterprise application distribution. |
|Full regression | A full quality assurance probing. Staff that know the application well and can validate its core functionality should do this validation. |
|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they're validating. |
|Automated testing | Software performs tests automatically. The software lets you know whether the tests have passed or failed, and provides detailed reporting for you automatically. |
|Test in pilot | You preselect users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. |
|Reactive response | Applications are validated in late pilot, and no specific users are selected. These applications normally aren't installed on many devices and aren't handled by enterprise application distribution. |
Combining the various validation methods with the app classifications you've previously established might look like this:
@ -46,7 +44,7 @@ Combining the various validation methods with the app classifications you've pre
### Identify users
Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you'll have to choose which users are best suited for validation testing. Some factors to consider include:
Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you have to choose which users are best suited for validation testing. Some factors to consider include:
- **Location**: If users are in different physical locations, can you support them and get validation feedback from the region they're in?
- **Application knowledge**: Do the users have appropriate knowledge of how the app is supposed to work?
@ -56,10 +54,10 @@ You could seek volunteers who enjoy working with new features and include them i
### Identify and set up devices for validation
In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection will include devices representing all of the hardware models in your environment.
In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection includes devices representing all of the hardware models in your environment.
There is more than one way to choose devices for app validation:
There's more than one way to choose devices for app validation:
- **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles.
- **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems.
- **Manual selection**: Some internal groups like operations have expertise to help choose devices manually based on specifications, usage, or records of past support problems.
- **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices.

46
windows/deployment/update/prepare-deploy-windows.md
View File

@ -2,23 +2,21 @@
title: Prepare to deploy Windows
description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Prepare to deploy Windows
**Applies to**
- Windows 10
- Windows 11
Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows client. The planning phase will have left you with these useful items:
Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows client. The planning phase left you with these useful items:
- A clear understanding of necessary personnel and their roles and criteria for [rating app readiness](plan-define-readiness.md)
- A plan for [testing and validating](plan-determine-app-readiness.md) apps
@ -33,26 +31,26 @@ Now you're ready to actually start making changes in your environment to get rea
- Update non-Microsoft security tools like security agents or servers.
- Update non-Microsoft management tools like data loss prevention agents.
Your infrastructure probably includes many different components and tools. Youll need to ensure your environment isnt affected by issues due to the changes you make to the various parts of the infrastructure. Follow these steps:
Your infrastructure probably includes many different components and tools. You need to ensure your environment isn't affected by issues due to the changes you make to the various parts of the infrastructure. Follow these steps:
1. Review all of the infrastructure changes that youve identified in your plan. Its important to understand the changes that need to be made and to detail how to implement them. This process prevents problems later on.
1. Review all of the infrastructure changes that you've identified in your plan. It's important to understand the changes that need to be made and to detail how to implement them. This process prevents problems later on.
2. Validate your changes. Youll validate the changes for your infrastructures components and tools, to help you understand how your changes could affect your production environment.
2. Validate your changes. You validate the changes for your infrastructure's components and tools, to help you understand how your changes could affect your production environment.
3. Implement the changes. Once the changes have been validated, you can implement the changes across the wider infrastructure.
You should also look at your organizations environments configuration and outline how youll implement any necessary changes previously identified in the plan phase to support the update. Consider what youll need to do for the various settings and policies that currently underpin the environment. For example:
You should also look at your organization's environment's configuration and outline how you'll implement any necessary changes previously identified in the plan phase to support the update. Consider what you need to do for the various settings and policies that currently underpin the environment. For example:
- Implement new draft security guidance. New versions of Windows can include new features that improve your environments security. Your security teams will want to make appropriate changes to security-related configurations.
- Implement new draft security guidance. New versions of Windows can include new features that improve your environment's security. Your security teams will want to make appropriate changes to security-related configurations.
- Update security baselines. Security teams understand the relevant security baselines and will have to work to make sure all baselines fit into whatever guidance they have to adhere to.
However, your configuration will consist of many different settings and policies. Its important to only apply changes where they are necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that will slow down the update process. You want to ensure your environment isnt affected adversely because of changes you make. For example:
However, your configuration will consist of many different settings and policies. It's important to only apply changes where they're necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that slow down the update process. You want to ensure your environment isn't affected adversely because of changes you make. For example:
1. Review new security settings. Your security team will review the new security settings to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment.
1. Review new security settings. Your security team reviews the new security settings to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment.
2. Review security baselines for changes. Security teams will also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant.
2. Review security baselines for changes. Security teams also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant.
3. Implement and validate security settings and baseline changes. Your security teams will then implement all of the security settings and baselines, having addressed any potential outstanding issues.
@ -142,9 +140,9 @@ You can also create and run scripts to perform additional cleanup actions on dev
- Compact the operating system by running **Compact.exe /CompactOS:always**.
- Remove Windows Features on Demand that the user doesn't need. See [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) for more guidance.
- Remove Windows Features on Demand that the user doesn't need. For more information, see [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities).
- Move Windows Known Folders to OneDrive. See [Use Group Policy to control OneDrive sync settings](/onedrive/use-group-policy) for more information.
- Move Windows Known Folders to OneDrive. For more information, see [Use Group Policy to control OneDrive sync settings](/onedrive/use-group-policy).
- Clean up the Software Distribution folder. Try deploying these commands as a batch file to run on devices to reset the download state of Windows Updates:
@ -167,9 +165,9 @@ You can also create and run scripts to perform additional cleanup actions on dev
## Prepare capability
In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You'll need to complete these higher-level tasks to gain those new capabilities:
In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You need to complete these higher-level tasks to gain those new capabilities:
- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions will come with new policies that you use to update ADMX templates.
- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions come with new policies that you use to update ADMX templates.
- Validate new changes to understand how they affect the wider environment.
@ -177,12 +175,12 @@ In the plan phase, you determined the specific infrastructure and configuration
## Prepare users
Users often feel like they are forced into updating their devices randomly. They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. It's best to ensure that upcoming updates are communicated clearly and with adequate warning.
Users often feel like they're forced into updating their devices randomly. They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. It's best to ensure that upcoming updates are communicated clearly and with adequate warning.
You can employ a variety of measures to achieve this goal, for example:
You can employ various measures to achieve this goal, for example:
- Send overview email about the update and how it will be deployed to the entire organization.
- Send personalized emails to users about the update with specific details.
- Set an opt-out deadline for employees that need to remain on the current version for a bit longer, due to a business need.
- Provide the ability to voluntarily update at users convenience.
- Provide the ability to voluntarily update at users' convenience.
- Inform users of a mandatory installation date when the update will be installed on all devices.

38
windows/deployment/update/release-cycle.md
View File

@ -1,19 +1,21 @@
---
title: Update release cycle for Windows clients
description: Learn about the release cycle ofupdates for Windows clients to stay productive and protected.
description: Learn about the release cycle forupdates so Windows clients in your organization stay productive and protected.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 05/19/2023
---
# Update release cycle for Windows clients
<!--7696511-->
***(Applies to: Windows 11 & Windows 10)***
Windows updates help you to stay productive and protected. They provide your users and IT administrators with the security fixes they need, and protect devices so that unpatched vulnerabilities can't be exploited. Updates for the Windows client OS are typically cumulative. They include all previously released fixes to guard against fragmentation of the operating system. Reliability and vulnerability issues can occur when only a subset of fixes is installed.
@ -23,11 +25,11 @@ This article provides details on the types of updates that Microsoft provides, a
|Release type | Description | Release cycle |
|---|---|---|
| [Monthly security update release](#monthly-security-update-release)| A cumulative update release that includes both security and non-security content | Second Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Optional non-security preview release](#optional-non-security-preview-release)| An optional cumulative update release that's typically used for early validation of the monthly security update release| Fourth Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Monthly security update release](#monthly-security-update-release)| A cumulative update release that includes both security and nonsecurity content | Second Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Optional nonsecurity preview release](#optional-nonsecurity-preview-release)| An optional cumulative update release that's typically used for early validation of the monthly security update release| Fourth Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Out-of-band (OOB) release](#oob-releases) | Resolves a recently identified issue or vulnerability | As needed |
| [Annual feature update](#annual-feature-updates) | An update with new features and enhancements that also changes the Windows version | Once a year in the second half of the calendar year |
| [Continuous innovation for Windows 11](#continuous-innovation-for-windows-11)| Introduces new features and enhancements for Windows 11 | Periodically included in an optional non-security preview release then in the monthly security update releases |
| [Continuous innovation for Windows 11](#continuous-innovation-for-windows-11)| Introduces new features and enhancements for Windows 11 | Periodically included in an optional nonsecurity preview release then in the monthly security update releases |
## Monthly security update release
@ -42,7 +44,7 @@ Most people are familiar with the **monthly security update release**. The **mon
- Latest cumulative update (LCU)
**Monthly security update releases** are cumulative. The release includes both new and previously released security fixes, along with non-security content introduced in the prior month's [**Optional non-security preview release**](#optional-non-security-preview-release). These updates help keep Windows devices secure and compliant by deploying stability fixes and addressing security vulnerabilities. Most organizations consider monthly security update releases as mandatory.
**Monthly security update releases** are cumulative. The release includes both new and previously released security fixes, along with nonsecurity content introduced in the prior month's [**Optional nonsecurity preview release**](#optional-nonsecurity-preview-release). These updates help keep Windows devices secure and compliant by deploying stability fixes and addressing security vulnerabilities. Most organizations consider monthly security update releases as mandatory.
Monthly security update releases are available through the following channels:
@ -52,11 +54,11 @@ Monthly security update releases are available through the following channels:
Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
## Optional non-security preview release
## Optional nonsecurity preview release
**Optional non-security preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, non-security preview releases. New features might initially be deployed in the prior month's **optional non-security preview release**, then ship in the following **monthly security update release**. These releases are only offered to the most recent, supported versions of Windows.
**Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. These releases are only offered to the most recent, supported versions of Windows.
**Optional non-security preview releases** might commonly be referred to as:
**Optional nonsecurity preview releases** might commonly be referred to as:
- C or D week releases (meaning the third or fourth week of the month)
- Preview updates
@ -64,9 +66,9 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
- LCU preview
> [!Important]
> Starting in April 2023, all **optional non-security preview releases** will be released on the fourth Tuesday of the month. This change in release cadence gives admins a consistent time cycle for testing and validating fixes and features.
> Starting in April 2023, all **optional nonsecurity preview releases** will be released on the fourth Tuesday of the month. This change in release cadence gives admins a consistent time cycle for testing and validating fixes and features.
To access the optional non-security preview release:
To access the optional nonsecurity preview release:
- Navigate to**Settings** > **Update & Security** > **Windows Update**and select**Check for updates**.
- Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
- Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
@ -78,16 +80,16 @@ To access the optional non-security preview release:
Some key considerations about OOB releases include:
- OOB releases are always cumulative.
- OOB releases supersede any prior monthly security update and optional non-security preview release.
- OOB releases supersede any prior monthly security update and optional nonsecurity preview release.
- OOB releases generally require IT admins to deploy off-cycle.
- Some OOB releases are classified as critical.
- Critical OOB releases are automatically available to WSUS and Windows Update for Business, just like the monthly security update releases.
- Some OOB releases are classified as non-critical.
- Non-critical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
- Some OOB releases are classified as noncritical.
- Noncritical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
## Continuous innovation for Windows 11
Starting with Windows 11, version 22H2, new features and enhancements are introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an **optional non-security preview release** and gradually rolled out to unmanaged clients. These new features are released later as part of a **monthly security update release**.
Starting with Windows 11, version 22H2, new features and enhancements are introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an **optional nonsecurity preview release** and gradually rolled out to unmanaged clients. These new features are released later as part of a **monthly security update release**.
Some of the new features may be disruptive to organizations. By default, these select features are turned off temporarily for all managed devices until the next annual feature update is installed. In this scenario, a device is considered managed if it uses one of the following to determine which updates to install:

24
windows/deployment/update/safeguard-holds.md
View File

@ -1,31 +1,29 @@
---
title: Safeguard holds
description: What are safeguard holds, how can you tell if one is in effect, and what to do about it.
title: Safeguard holds for Windows
description: What are safeguard holds? How to can you tell if a safeguard hold is in effect, and what to do about it.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
ms.collection:
- highpri
- tier2
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Safeguard holds
**Applies to**
- Windows 10
- Windows 11
Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply safeguard holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use safeguard holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe effect (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround isn't immediately available.
Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.
The safeguard holds lifespan varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update will resume offering new operating system versions to devices.
The safeguard holds lifespan varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update resumes offering new operating system versions to devices.
Safeguard holds only affect devices that use the Windows Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
@ -37,11 +35,11 @@ IT admins can use [Windows Update for Business reports](wufb-reports-overview.md
Windows Update for Business reports identifies safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find more details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users see a message.
![Feature update message reading "The Windows 10 May 2020 Update is on its way. Once it's ready for your device, you'll see the update available on this page.](images/safeguard-hold-notification.png)
This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we'll release the safeguard hold and the update can resume safely.
This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we release the safeguard hold so the update can resume safely.
## What can I do?

29
windows/deployment/update/safeguard-opt-out.md
View File

@ -1,38 +1,35 @@
---
title: Opt out of safeguard holds
description: Steps to install an update even it if has a safeguard hold applied
description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 10/21/2020
---
# Opt out of safeguard holds
**Applies to**
- Windows 10
- Windows 11
Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows client feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. For more information about safeguard holds, see [Safeguard holds](safeguard-holds.md).
## How can I opt out of safeguard holds?
IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update and in Windows 11.
IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running the following operating systems:
- Windows 11
- Windows 10, version 1809, or later, with the October 2020 security update.
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues.
We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows client feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business.
Disabling safeguards does not guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you are bypassing the protection against known issues.
Disabling safeguards doesn't guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you're bypassing the protection against known issues.
> [!NOTE]
> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to “not configured” even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsofts default protection from known issues for each new feature update.
> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to **Not configured** even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft's default protection from known issues for each new feature update.

29
windows/deployment/update/servicing-stack-updates.md
View File

@ -2,29 +2,26 @@
title: Servicing stack updates
description: In this article, learn how servicing stack updates improve the code that installs the other updates.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: high
ms.author: mstewart
manager: aaroncz
ms.collection:
- highpri
- tier2
ms.topic: conceptual
ms.technology: itpro-updates
ms.localizationpriority: high
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server </a>
ms.date: 12/31/2017
---
# Servicing stack updates
**Applies to**
- Windows 10
- Windows 11
- Windows Server
## What is a servicing stack update?
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically doesn't have updates released every month.
## Why should servicing stack updates be installed and kept up to date?
@ -34,8 +31,6 @@ Servicing stack updates improve the reliability of the update process to mitigat
Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
>[!NOTE]
>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
## What's the difference between a servicing stack update and a cumulative update?
@ -49,18 +44,18 @@ Microsoft publishes all cumulative updates and SSUs for Windows 10, version 2004
Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
Typically, the improvements are reliability and performance improvements that don't require any specific special guidance. If there's any significant impact, it will be present in the release notes.
## Installation notes
* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
* Installing servicing stack update does not require restarting the device, so installation should not be disruptive.
* Installing servicing stack update doesn't require restarting the device, so installation shouldn't be disruptive.
* Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
* Servicing stack updates can be delivered with Windows Update, or you can perform a search to install the latest available at [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001).
* Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine.
* Once a servicing stack update is installed, it can't be removed or uninstalled from the machine.
## Simplifying on-premises deployment of servicing stack updates
With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update includes the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you'll only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update is available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.

20
windows/deployment/update/update-baseline.md
View File

@ -1,35 +1,35 @@
---
title: Update Baseline
description: Use an update baseline to optimize user experience and meet monthly update goals
title: Windows 10 Update Baseline
description: Use an update baseline to optimize user experience and meet monthly update goals in your organization.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Update Baseline
**Applies to:** Windows 10
> [!NOTE]
> Update Baseline is not currently available for Windows 11.
> Update Baseline isn't currently available for Windows 11.
With the large number of different policies offered for Windows client, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations.
## Why is Update Baseline needed?
Update Baseline is an industry-tested solution that improves update adoption rates while also maintaining a high-quality user experience. Whether you are just starting out, or you have been configuring policies for years, Update Baseline can help get you to a known good state with an excellent user experience. Applying the baseline is especially helpful for organizations that have many years of policy configurations to clear out lingering misconfigurations.
Update Baseline is an industry-tested solution that improves update adoption rates while also maintaining a high-quality user experience. Whether you're just starting out, or you have been configuring policies for years, Update Baseline can help get you to a known good state with an excellent user experience. Applying the baseline is especially helpful for organizations that have many years of policy configurations to clear out lingering misconfigurations.
## You can use Update Baseline to:
- Ensure that user and device configuration settings are compliant with the baseline.
- Set configuration settings. You can use Group Policy to configure a device with the setting values specified in the baseline.
Update Baseline doesn't affect your offering policies, whether youre using deferrals or target version to manage which updates are offered to your devices and when.
Update Baseline doesn't affect your offering policies, whether you're using deferrals or target version to manage which updates are offered to your devices and when.
## Policies included in the Update Baseline

75
windows/deployment/update/update-policies.md
View File

@ -1,23 +1,21 @@
---
title: Policies for update compliance, activity, and user experience
description: Explanation and recommendations for settings
title: Policies for update compliance and user experience
description: Explanation and recommendations for update compliance, activity, and user experience for your organization.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-updates
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Policies for update compliance, activity, and user experience
**Applies to**
- Windows 10
- Windows 11
Keeping devices up to date is the best way to keep them working smoothly and securely.
## Deadlines for update compliance
@ -30,7 +28,7 @@ deadline approaches, and then prioritize velocity as the deadline nears, while s
Beginning with Windows 10, version 1903 and with the August 2019 security update for Windows 10, version 1709
and later (including Windows 11), a new policy was introduced to replace older deadline-like policies: **Specify deadlines for automatic updates and restarts**.
The older policies started enforcing deadlines once the device reached a “restart pending” state for
The older policies started enforcing deadlines once the device reached a `restart pending` state for
an update. The new policy starts the countdown for the update installation deadline from when the
update is published plus any deferral. In addition, this policy includes a configurable grace period and the option
to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic
@ -42,7 +40,7 @@ We recommend you set deadlines as follows:
Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded
later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you
do **not** set any notification policies, because they are automatically configured with appropriate defaults. An exception is if you
do **not** set any notification policies, because they're automatically configured with appropriate defaults. An exception is if you
have kiosks or digital signage.
While three days for quality updates and seven days for feature updates is our recommendation, you might decide
@ -57,7 +55,7 @@ to a minimum of two days.
### Grace periods
You can set a period of days for Windows to find a minimally disruptive automatic restart time before the restart is enforced. This
is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device will not
is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device won't
be forced to update immediately when the user returns.
We recommend you set the following:
@ -79,15 +77,15 @@ automatic restart. To take advantage of this feature, ensure **ConfigureDeadline
Windows typically requires that a device is active and connected to the internet for at least six hours, with at least two
of continuous activity, in order to successfully complete a system update. The device could have other
physical circumstances that prevent successful installation of an update--for example, if a laptop is running low
on battery power, or the user has shut down the device before active hours end and the device cannot comply
on battery power, or the user has shut down the device before active hours end and the device can't comply
with the deadline.
You can use the settings in this section to ensure that devices are actually available to install updates during the update compliance period.
You can use the settings in this section to ensure that devices are available to install updates during the update compliance period.
### Active hours
"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts will occur outside of
these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a users activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update.
"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts occur outside of
these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a user's activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update.
> [!IMPORTANT]
> If you used the **Configure Active Hours** setting in previous versions of Windows 10, these
@ -96,14 +94,12 @@ options must be **Disabled** in order to take advantage of intelligent active ho
If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update
velocity:
- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While its possible to set the system to delay restarts for users who are logged
in, this might delay an update indefinitely if a user is always either logged in or shut down. Instead, we
recommend setting the following polices to **Disabled**:
- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following polices to **Disabled**:
- **Turn off auto-restart during active hours**
- **No auto-restart with logged on users for scheduled automatic updates**
- [Limit restart delays](waas-restart.md#limit-restart-delays). By using compliance deadlines, your users will receive notifications that
updates will occur, so we recommend that you set this policy to **Disabled**, to allow compliance deadlines to eliminate the users ability to delay a restart outside of compliance deadline settings.
- [Limit restart delays](waas-restart.md#limit-restart-delays). By using compliance deadlines, your users receive notifications that
updates will occur, so we recommend that you set this policy to **Disabled**, to allow compliance deadlines to eliminate the user's ability to delay a restart outside of compliance deadline settings.
- **Do not allow users to approve updates and reboots**. Letting users approve or engage with the update process outside of the deadline policies decreases update velocity and increases risk. These policies should be set to **Disabled**:
- [Update/RequireUpdateApproval](/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval)
@ -113,8 +109,8 @@ updates will occur, so we recommend that you set this policy to **Disabled**, to
- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozescheduleforfeatureupdates)
- [Update/EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-csp-update#update-engagedrestarttransitionschedule)
- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If youre using Microsoft Intune, setting the value to [Reset to Default](/mem/intune/protect/windows-update-settings#user-experience-settings).
- **Allow auto Windows Update to download over metered networks**. Since more and more devices primarily use cellular data and do not have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting does not allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they are connected to the internet or not, provided they have cellular service.
- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you're using Microsoft Intune, setting the value to [Reset to Default](/mem/intune/protect/windows-update-settings#user-experience-settings).
- **Allow auto Windows Update to download over metered networks**. Since more devices primarily use cellular data and don't have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting doesn't allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they're connected to the internet or not, provided they have cellular service.
> [!IMPORTANT]
> Older versions of Windows don't support intelligent active hours. If your device runs a version of Windows prior to Windows 10, version 1903, we recommend setting the following policies:
@ -127,11 +123,11 @@ recommend setting this value to **3** (corresponding to 3 AM). If 3:00 AM is in
### Power policies
Devices must actually be available during non-active hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs:
Devices must actually be available during nonactive hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs:
To a user, a device is either on or off, but for Windows, there are states that will allow an update to occur (active) and states that do not (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update.
To a user, a device is either on or off, but for Windows, there are states that allow an update to occur (active) and states that don't (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update.
You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during non-active hours.
You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during nonactive hours.
> [!NOTE]
> One way to ensure that devices can install updates when you need them to is to educate your users to keep devices plugged in during non-active hours. Even with the best policies, a device that isn't plugged in will not be updated, even in sleep mode.
@ -139,13 +135,12 @@ You can override the default settings and prevent users from changing them in or
We recommend these power management settings:
- Sleep mode (S1 or S0 Low Power Idle or [Modern Standby](/windows-hardware/design/device-experiences/modern-standby)). When a device is in sleep mode, the system
appears to be off but if an update is available, it can wake the device up in order to take an update. The
appears to be off but if an update is available, it can wake up the device in order to take an update. The
power consumption in sleep mode is between working (system fully usable) and hibernate (S4 - lowest
power level before shutdown). When a device is not being used, the system will generally move to sleep
power level before shutdown). When a device isn't being used, the system will generally move to sleep
mode before it goes to hibernate. Issues in velocity arise when the time between sleep and hibernate is
too short and Windows does not have time to complete an update. Sleep mode is an important setting
because the system can wake the system from sleep in order to start the update process, as long as there
is enough power.
too short and Windows doesn't have time to complete an update. Sleep mode is an important setting
because the system can wake the system from sleep in order to start the update process, as long as there's enough power.
Set the following policies to **Enable** or **Do Not Configure** in order to allow the device to use sleep mode:
- [Power/AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#power-allowstandbystateswhensleepingonbattery)
@ -156,15 +151,15 @@ sleep mode and the device has an opportunity to take an update:
- [Power/SelectLidCloseActionOnBattery](/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactiononbattery)
- [Power/SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin)
- **Hibernate**. When a device is hibernating, power consumption is very low and the system cannot wake up
without user intervention, like pressing the power button. If a device is in this state, it cannot be updated
- **Hibernate**. When a device is hibernating, power consumption is low and the system can't wake up
without user intervention, like pressing the power button. If a device is in this state, it can't be updated
unless it supports an ACPI Time and Alarm Device (TAD). That said, if a device supporting Traditional Sleep
(S3) is plugged in, and a Windows update is available, a hibernate state will be delayed until the update is complete.
(S3) is plugged in, and a Windows update is available, a hibernate state is delayed until the update is complete.
> [!NOTE]
> This does not apply to devices that support Modern Standby (S0 Low Power Idle). You can check which system sleep state (S3 or S0 Low Power Idle) a device supports by running `powercfg /a` at a command prompt. For more, see [Powercfg options](/windows-hardware/design/device-experiences/powercfg-command-line-options#option_availablesleepstates).
The default timeout on devices that support traditional sleep is set to three hours. We recommend that you do not reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation:
The default timeout on devices that support traditional sleep is set to three hours. We recommend that you don't reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation:
- [Power/HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutonbattery)
- [Power/HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutpluggedin)
@ -177,7 +172,7 @@ Each release of Windows client can introduce new policies to make the experience
> If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are
> using an MDM tool (Microsoft or non-Microsoft), you can't use the new policy until it's available in the tool interface.
As administrators, you have set up and expect certain behaviors, so we expressly do not remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected.
As administrators, you have set up and expect certain behaviors, so we expressly don't remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected.
> [!IMPORTANT]
> We sometimes find that administrators set devices to get both Group Policy settings and MDM settings from an MDM server such as Microsoft Intune. Policy conflicts are handled differently, depending on how they are ultimately set up:
@ -192,11 +187,11 @@ As administrators, you have set up and expect certain behaviors, so we expressly
The following are policies that you might want to disable because they could decrease update velocity or there are better policies to use that might conflict:
- **Defer Feature Updates Period in Days**. For maximum update velocity, it's best to set this to **0** (no
deferral) so that the feature update can complete and monthly security updates will be offered again. Even if there is an urgent quality update that must be quickly deployed, it is best to use **Pause Feature
deferral) so that the feature update can complete and monthly security updates are offered again. Even if there's an urgent quality update that must be quickly deployed, it's best to use **Pause Feature
Updates** rather than setting a deferral policy. You can choose a longer period if you don't want to stay up to date with the latest feature update.
- **Defer Quality Updates Period in Days**. To minimize risk and maximize update velocity, the maximum time you might want to consider while evaluating the update with a different ring of devices is two to three days.
- **Pause Feature Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution.
- **Pause Quality Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution.
- **Deadline No Auto Reboot**. Default is **Disabled Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart.
- **Pause Quality Updates Start Time**. Set to **Disabled** unless there's a known issue requiring time for a resolution.
- **Deadline No Auto Reboot**. Default is **Disabled - Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart.
There are additional policies are no longer supported or have been superseded.
There are also additional policies are no longer supported or have been superseded.

27
windows/deployment/update/waas-branchcache.md
View File

@ -2,31 +2,28 @@
title: Configure BranchCache for Windows client updates
description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Configure BranchCache for Windows client updates
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
- Distributed Cache mode operates like the [Delivery Optimization](../do/waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
>[!TIP]
>Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution.
> [!TIP]
> Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution.
- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf.
@ -36,7 +33,7 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)).
In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
## Configure servers for BranchCache
@ -44,8 +41,8 @@ You can use WSUS and Configuration Manager with BranchCache in Distributed Cache
For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj572990(v=ws.11)) or [BranchCache Deployment Guide (Windows Server 2016)](/windows-server/networking/branchcache/deploy/branchcache-deployment-guide).
In addition to these steps, there is one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode.
In addition to these steps, there's one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode.
>[!NOTE]
>Configuration Manager only supports Distributed Cache mode.
> [!NOTE]
> Configuration Manager only supports Distributed Cache mode.

33
windows/deployment/update/waas-integrate-wufb.md
View File

@ -2,23 +2,20 @@
title: Integrate Windows Update for Business
description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Integrate Windows Update for Business with management solutions
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
@ -28,8 +25,8 @@ You can integrate Windows Update for Business deployments with existing manageme
For Windows 10, version 1607 and later, devices can be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup:
- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies
- Devices receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows won't follow your Windows Update for Business deferral policies
### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS
@ -37,9 +34,9 @@ For Windows 10, version 1607 and later, devices can be configured to receive upd
- Device is configured to defer Windows quality updates using Windows Update for Business
- Device is also configured to be managed by WSUS
- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
- Device isn't configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
- Admin has opted to put updates to Office and other products on WSUS
- Admin has also put 3rd party drivers on WSUS
- Admin has also put third-party drivers on WSUS
|Content|Metadata source|Payload source|Deferred?|
|--- |--- |--- |--- |
@ -70,12 +67,12 @@ For Windows 10, version 1607 and later, devices can be configured to receive upd
**Configuration:**
- Device is configured to defer quality updates using Windows Update for Business and to be managed by WSUS
- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
- Device is configured to **receive updates for other Microsoft products** along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
- Admin has also placed Microsoft Update, non-Microsoft, and locally published update content on the WSUS server
In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled.
In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS weren't enabled.
- In a non-WSUS case, these updates would be deferred just as any update to Windows would be.
- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied.
- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies aren't applied.
|Content|Metadata source|Payload source|Deferred?|
|--- |--- |--- |--- |
@ -90,9 +87,9 @@ In this example, the deferral behavior for updates to Office and other non-Windo
## Integrate Windows Update for Business with Microsoft Configuration Manager
For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices are visible in the Configuration Manager console, however they appear with a detection state of **Unknown**.
:::image type="content" alt-text="Example of unknown devices." source="images/wufb-sccm.png" lightbox="images/wufb-sccm.png":::
For more information, see [Integration with Windows Update for Business in Windows 10](/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
For more information, see [Integration with Windows Update for Business in Windows 10](/mem/configmgr/sum/deploy-use/integrate-windows-update-for-business-windows-10).

123
windows/deployment/update/waas-manage-updates-wsus.md
View File

@ -1,33 +1,31 @@
---
title: Deploy Windows client updates using Windows Server Update Services
title: Deploy updates using Windows Server Update Services
description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: how-to
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a>
ms.date: 12/31/2017
---
# Deploy Windows client updates using Windows Server Update Services (WSUS)
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when theyre delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Configuration Manager provides.
WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they're delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but doesn't provide all the scheduling options and deployment flexibility that Microsoft Configuration Manager provides.
When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If youre currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11.
When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you're currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11.
@ -46,7 +44,7 @@ To be able to use WSUS to manage and deploy Windows feature updates, you must us
## WSUS scalability
To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720448(v=ws.10)).
To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Deploy Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services).
@ -68,19 +66,19 @@ When using WSUS to manage updates on Windows client devices, start by configurin
>[!NOTE]
>In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
4. In the **New GPO** dialog box, name the new GPO **WSUS Auto Updates and Intranet Update Service Location**.
4. In the **New GPO** dialog box, name the new GPO **WSUS - Auto Updates and Intranet Update Service Location**.
5. Right-click the **WSUS Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**.
5. Right-click the **WSUS - Auto Updates and Intranet Update Service Location** GPO, and then select **Edit**.
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
7. Right-click the **Configure Automatic Updates** setting, and then select **Edit**.
![Configure Automatic Updates in the UI.](images/waas-wsus-fig4.png)
8. In the **Configure Automatic Updates** dialog box, select **Enable**.
9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then select **OK**.
![Select Auto download and notify for install in the UI.](images/waas-wsus-fig5.png)
@ -88,7 +86,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
> Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
> [!NOTE]
> There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720539(v=ws.10)).
> There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates).
10. Right-click the **Specify intranet Microsoft update service location** setting, and then select **Edit**.
@ -117,13 +115,13 @@ You can use computer groups to target a subset of devices that have specific qua
1. Open the WSUS Administration Console.
2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**.
2. Go to *Server_Name*\Computers\All Computers, and then select **Add Computer Group**.
![Add Computer Group in the WSUS Administration UI.](images/waas-wsus-fig7.png)
3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
3. Type **Ring 2 Pilot Business Users** for the name, and then select **Add**.
4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When youre finished, there should be three deployment ring groups.
4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you're finished, there should be three deployment ring groups.
Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
@ -143,15 +141,15 @@ When new computers communicate with WSUS, they appear in the **Unassigned Comput
1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers.
Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.
Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you'll likely have many computers here.
2. Select both computers, right-click the selection, and then click **Change Membership**.
2. Select both computers, right-click the selection, and then select **Change Membership**.
![Select Change Membership in the UI.](images/waas-wsus-fig8.png)
3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then select **OK**.
Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there.
Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you'll see both computers there.
### Search for multiple computers to add to groups
@ -159,15 +157,15 @@ Another way to add multiple computers to a deployment ring in the WSUS Administr
**To search for multiple computers**
1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**.
1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then select **Search**.
2. In the search box, type **WIN10**.
3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
3. In the search results, select the computers, right-click the selection, and then select **Change Membership**.
![Select Change Membership to search for multiple computers in the UI.](images/waas-wsus-fig9.png)
4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
4. Select the **Ring 3 Broad IT** deployment ring, and then select **OK**.
You can now see these computers in the **Ring 3 Broad IT** computer group.
@ -180,11 +178,11 @@ The WSUS Administration Console provides a friendly interface from which you can
**To configure WSUS to allow client-side targeting from Group Policy**
1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then select **Computers**.
![Select Comptuers in the WSUS Administration Console.](images/waas-wsus-fig10.png)
2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then select **OK**.
>[!NOTE]
>This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
@ -194,23 +192,23 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
**To configure client-side targeting**
>[!TIP]
>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you dont add computers to the incorrect rings.
>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don't add computers to the incorrect rings.
1. Open Group Policy Management Console (gpmc.msc).
2. Expand Forest\Domains\\*Your_Domain*.
3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
3. Right-click *Your_Domain*, and then select **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, type **WSUS Client Targeting Ring 4 Broad Business Users** for the name of the new GPO.
4. In the **New GPO** dialog box, type **WSUS - Client Targeting - Ring 4 Broad Business Users** for the name of the new GPO.
5. Right-click the **WSUS Client Targeting Ring 4 Broad Business Users** GPO, and then click **Edit**.
5. Right-click the **WSUS - Client Targeting - Ring 4 Broad Business Users** GPO, and then select **Edit**.
![Select the WSUS ring 4 and edit in group policy.](images/waas-wsus-fig11.png)
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
7. Right-click **Enable client-side targeting**, and then click **Edit**.
7. Right-click **Enable client-side targeting**, and then select **Edit**.
8. In the **Enable client-side targeting** dialog box, select **Enable**.
@ -223,23 +221,23 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
10. Close the Group Policy Management Editor.
Now youre ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
Now you're ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
**To scope the GPO to a group**
1. In GPMC, select the **WSUS Client Targeting Ring 4 Broad Business Users** policy.
1. In GPMC, select the **WSUS - Client Targeting - Ring 4 Broad Business Users** policy.
2. Click the **Scope** tab.
2. Select the **Scope** tab.
3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
![Remove the default AUTHENTICATED USERS security group in group policy.](images/waas-wsus-fig13.png)
The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring.
The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they'll be added to the **Ring 4 Broad Business Users** deployment ring.
## Automatically approve and deploy feature updates
For clients that should have their feature updates approved as soon as theyre available, you can configure Automatic Approval rules in WSUS.
For clients that should have their feature updates approved as soon as they're available, you can configure Automatic Approval rules in WSUS.
>[!NOTE]
>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](waas-overview.md#general-availability-channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
@ -250,32 +248,32 @@ This example uses Windows 10, but the process is the same for Windows 11.
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
2. On the **Update Rules** tab, click **New Rule**.
2. On the **Update Rules** tab, select **New Rule**.
3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
![Select the update and deadline check boxes in the WSUS Administration Console.](images/waas-wsus-fig14.png)
4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then select **OK**.
5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**.
5. In the **Edit the properties area**, select the **any product** link. Clear all check boxes except **Windows 10**, and then select **OK**.
Windows 10 is under All Products\Microsoft\Windows.
6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**.
6. In the **Edit the properties** area, select the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then select **OK**.
7. Leave the deadline set for **7 days after the approval at 3:00 AM**.
8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then select **OK**.
![Enter the ring 3 deployment name.](images/waas-wsus-fig15.png)
9. In the **Automatic Approvals** dialog box, click **OK**.
9. In the **Automatic Approvals** dialog box, select **OK**.
>[!NOTE]
>WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if youre using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
>WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you're using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
Now, whenever Windows client feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
Now, whenever Windows client feature updates are published to WSUS, they'll automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
> [!WARNING]
> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows client version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large.
@ -291,17 +289,17 @@ To simplify the manual approval process, start by creating a software update vie
**To approve and deploy feature updates manually**
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**.
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, select **New Update View**.
2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**.
3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**.
3. Under **Step 2: Edit the properties**, select **any classification**. Clear all check boxes except **Upgrades**, and then select **OK**.
4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**.
4. Under **Step 2: Edit the properties**, select **any product**. Clear all check boxes except **Windows 10**, and then select **OK**.
Windows 10 is under All Products\Microsoft\Windows.
5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then select **OK**.
![Enter All Windows 10 Upgrades for the name in the WSUS admin console.](images/waas-wsus-fig16.png)
@ -309,7 +307,7 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
2. Right-click the feature update you want to deploy, and then click **Approve**.
2. Right-click the feature update you want to deploy, and then select **Approve**.
![Approve the feature you want to deploy in WSUS admin console.](images/waas-wsus-fig17.png)
@ -317,30 +315,17 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
![Select Approve for install in the WSUS admin console.](images/waas-wsus-fig18.png)
4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**.
4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Deadline**, select **One Week**, and then select **OK**.
![Select a one week deadline in the WSUS admin console.](images/waas-wsus-fig19.png)
5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
5. If the **Microsoft Software License Terms** dialog box opens, select **Accept**.
If the deployment is successful, you should receive a successful progress report.
![A sample successful deployment.](images/waas-wsus-fig20.png)
6. In the **Approval Progress** dialog box, click **Close**.
</br>
## Steps to manage updates for Windows client
|&nbsp; |&nbsp; |
| --- | --- |
| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) |
| ![done.](images/checklistdone.png) | [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) |
| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) |
| ![done.](images/checklistdone.png) | [Optimize update delivery for Windows client updates](../do/waas-optimize-windows-10-updates.md) |
| ![done.](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or Deploy Windows client updates using Windows Server Update Services (this topic)</br>or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
6. In the **Approval Progress** dialog box, select **Close**.

27
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -3,25 +3,21 @@ title: Windows Update for Business
manager: aaroncz
description: Learn how Windows Update for Business lets you manage when devices receive updates from Windows Update.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
ms.topic: overview
author: mestew
ms.author: mstewart
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# What is Windows Update for Business?
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Windows Update for Business is a free service that is available for the following editions of Windows 10 and Windows 11:
@ -37,7 +33,7 @@ Specifically, Windows Update for Business lets you control update offerings and
Windows Update for Business enables commercial customers to manage which Windows Updates are received when as well as the experience a device has when it receives them.
You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as a variety of other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy).
You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as various other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy).
### Manage deployment of Windows Updates
@ -62,10 +58,11 @@ You can control when updates are applied, for example by deferring when an updat
### Manage when updates are offered
You can defer or pause the installation of updates for a set period of time.
#### Enroll in pre-release updates
#### Enroll in prerelease updates
The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates:
The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both prerelease and released updates:
- Windows Insider Canary
- Windows Insider Dev
- Windows Insider Beta
- Windows Insider Preview
@ -81,7 +78,7 @@ A Windows Update for Business administrator can defer the installation of both f
|---------|---------|
|Feature updates | 365 days |
|Quality updates | 30 days |
|Non-deferrable | none |
|Nondeferrable | none |
<!--Example: Using deferrals to deploy in waves
[Insert graphic with the deferrals set to different values showing a feature update rollout)-->
@ -107,7 +104,7 @@ For the best experience with Windows Update, follow these guidelines:
### Manage the end-user experience when receiving Windows Updates
Windows Update for Business provides controls to help meet your organizations security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.
Windows Update for Business provides controls to help meet your organization's security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.
#### Recommended experience settings

41
windows/deployment/update/waas-overview.md
View File

@ -2,39 +2,36 @@
title: Overview of Windows as a service
description: Windows as a service is a way to build, deploy, and service Windows. Learn how Windows as a service works.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: overview
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: overview
ms.localizationpriority: medium
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Overview of Windows as a service
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Windows as a service is a way to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
## Building
Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesnt work in todays rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two times per year, around March and September, to help address these issues.
Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn't work in today's rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges.
In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features will be delivered to the [Windows Insider community](https://insider.windows.com/) as soon as possible — during the development cycle, through a process called *flighting* — so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features are delivered to the [Windows Insider community](/windows-insider/business/register) as soon as possible, during the development cycle, through a process called *flighting*. Organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
Microsoft also depends on receiving feedback from organizations throughout the development process so that it can make adjustments as quickly as possible rather than waiting until after release. For more information about the Windows Insider Program and how to sign up, see the section [Windows Insider](#windows-insider).
Of course Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program.
Of course, Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program.
## Deploying
@ -43,13 +40,13 @@ Deploying Windows 10 and Windows 11 is simpler than with previous versions of Wi
### Application compatibility
Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds.
Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing regularly to validate compatibility with new builds.
## Servicing
Traditional Windows servicing has included several release types: major revisions (for example, the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10 and Windows 11, there are two release types: feature updates that add new functionality and quality updates that provide security and reliability fixes.
Servicing channels are the first way to separate users into deployment groups for feature and quality updates. For more information about developing a deployment strategy that leverages servicing channels, see [Plan servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md).
Servicing channels are the first way to separate users into deployment groups for feature and quality updates. For more information about developing a deployment strategy that uses servicing channels, see [Plan servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md).
For information about each servicing tool, see [Servicing tools](#servicing-tools).
@ -58,7 +55,7 @@ There are three servicing channels, each of which provides different levels of f
There are currently three release channels for Windows clients:
- The **General Availability Channel** receives feature updates as soon as they are available.
- The **General Availability Channel** receives feature updates as soon as they're available.
- The **Long-Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
- The **Windows Insider Program** provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update.
@ -75,9 +72,9 @@ New features are packaged into feature updates that you can deploy using existin
### Quality updates
Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didnt, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of non-security fixes.
Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn't, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of nonsecurity fixes.
Rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators see one cumulative monthly update that supersedes the previous months update, containing both security and non-security fixes. This approach makes updating simpler and ensures that devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from updates.
Rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators see one cumulative monthly update that supersedes the previous month's update, containing both security and non-security fixes. This approach makes updating simpler and ensures that devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from updates.
## Servicing channels
@ -88,9 +85,9 @@ There are three servicing channels. The [Windows Insider Program](#windows-insid
### General Availability Channel
In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you'll be able to choose the timing at which it goes into broad deployment.
When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools).
When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel is available but not necessarily immediately mandatory, depending on the policy of the management system. For more information about servicing tools, see [Servicing tools](#servicing-tools).
> [!NOTE]
@ -102,7 +99,7 @@ When Microsoft officially releases a feature update, we make it available to any
### Long-term Servicing Channel
Specialized systems—such as devices that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and dont need feature updates as frequently as other devices in the organization. Its more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Enterprise LTSC devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSC clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
Specialized systems—such as devices that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don't need feature updates as frequently as other devices in the organization. It's more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Enterprise LTSC devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSC clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
> [!NOTE]
>
@ -113,12 +110,12 @@ Microsoft never publishes feature updates through Windows Update on devices that
> [!NOTE]
> LTSC releases will support the currently released processors and chipsets at the time of release of the LTSC. As future CPU generations are released, support will be created through future LTSC releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](/lifecycle/faq/windows).
The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSC editions. This edition of Windows doesnt include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in the Enterprise LTSC editions, even if you install by using sideloading.
The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSC editions. This edition of Windows doesn't include some applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps aren't supported in the Enterprise LTSC editions, even if you install by using sideloading.
### Windows Insider
For many IT pros, gaining visibility into feature updates early--before theyre available to the General Availability Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
For many IT pros, gaining visibility into feature updates early can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](/windows-insider/business/register).

27
windows/deployment/update/waas-quick-start.md
View File

@ -2,38 +2,35 @@
title: Quick guide to Windows as a service (Windows 10)
description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: high
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: high
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Quick guide to Windows as a service
**Applies to**
- Windows 10
- Windows 11
Here is a quick guide to the most important concepts in Windows as a service. For more information, see the [extensive set of documentation](index.md).
Here's a quick guide to the most important concepts in Windows as a service. For more information, see the [extensive set of documentation](index.md).
## Definitions
Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
- **Feature updates** are released annually. As the name suggests, these updates add new features, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
- **Quality updates** deliver both security and nonsecurity fixes. They're typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they're important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
- **Servicing channels** allow organizations to choose when to deploy new features.
- The **General Availability Channel** receives feature updates annually.
- The **Long-Term Servicing Channel**, which is meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATMs, receives new feature releases every two to three years.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
See [Overview of Windows as a service](waas-overview.md) for more information.
For more information, see [Overview of Windows as a service](waas-overview.md).
For some interesting in-depth information about how cumulative updates work, see [Windows Updates using forward and reverse differentials](PSFxWhitepaper.md).
@ -41,15 +38,15 @@ For some interesting in-depth information about how cumulative updates work, see
With each release in the General Availability Channel, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion.
Windows 10 Enterprise LTSC are separate **Long-Term Servicing Channel** versions. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
Windows Enterprise LTSC versions are separate **Long-Term Servicing Channel** versions. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
For more information, see [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md).
## Staying up to date
To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Configuration Manager, and non-Microsoft products) to help with this process. [Upgrade Readiness](/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Configuration Manager, and non-Microsoft products to help with this process. [Upgrade Readiness](/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
Extensive advanced testing isnt required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
Extensive advanced testing isn't required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
This process repeats with each new feature update. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles.

79
windows/deployment/update/waas-restart.md
View File

@ -1,36 +1,33 @@
---
title: Manage device restarts after updates
description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows 10 update is installed.
description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows update is installed.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: how-to
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Manage device restarts after updates
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts won't occur, or you can do both.
## Schedule update installation
In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time.
To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation occurs during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
@ -40,25 +37,25 @@ For a detailed description of these registry keys, see [Registry keys used to ma
## Delay automatic reboot
When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installation:
When **Configure Automatic Updates** is enabled in Group Policy, you can also enable one of the following policies to delay an automatic reboot after update installation:
- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device restarts at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
> [!NOTE]
> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted.
You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it overrides this setting.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
## Configure active hours
*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours.
*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update occur outside of the active hours.
By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time.
Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range is counted from the active hours start time.
Administrators can use multiple ways to set active hours for managed devices:
@ -78,7 +75,7 @@ MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](/windows/client
### Configuring active hours through Registry
This method is not recommended, and should only be used when you can't use Group Policy or MDM.
This method isn't recommended, and should only be used when you can't use Group Policy or MDM.
Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
Configure active hours by setting a combination of the following registry values:
@ -102,7 +99,7 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan
## Limit restart delays
After an update is installed, Windows attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14.
After an update is installed, Windows attempts automatic restart outside of active hours. If the restart doesn't succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between 2 and 14.
## Control restart notifications
@ -120,15 +117,15 @@ Starting in Windows 11, version 22H2, **Apply only during active hours** was add
To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-csp-update#update-NoUpdateNotificationDuringActiveHours).
### Auto-restart notifications
### Auto restart notifications
Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. This setting was added in Windows 10, version 1703.
Administrators can override the default behavior for the auto restart required notification. By default, this notification dismisses automatically. This setting was added in Windows 10, version 1703.
To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](/windows/client-management/mdm/policy-configuration-service-provider#update-AutoRestartRequiredNotificationDismissal)
You can also configure the period prior to an update that this notification will show up on. The default value is 15 minutes.
You can also configure the period prior to an update that this notification shows up. The default value is 15 minutes.
To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
@ -141,20 +138,20 @@ To do so through Group Policy, go to **Computer Configuration\Administrative Tem
To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable).
### Scheduled auto-restart warnings
### Scheduled auto restart warnings
Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
Since users aren't able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**.
To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto restart can be configured by **Warning (mins)**.
In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleRestartWarning) and the auto-restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleImminentRestartWarning).
In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleRestartWarning) and the auto restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleImminentRestartWarning).
### Engaged restart
Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts.
Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows auto-restarts outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts.
The following settings can be adjusted for engaged restart:
* Period of time before auto-restart transitions to engaged restart.
* Period of time before auto restart transitions to engaged restart.
* The number of days that users can snooze engaged restart reminder notifications.
* The number of days before a pending restart automatically executes outside of working hours.
@ -164,17 +161,17 @@ In MDM, use [**Update/EngagedRestartTransitionSchedule**](/windows/client-manage
## Group Policy settings for restart
In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
In the Group Policy editor, you'll see policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
| Policy | Applies to Windows 10 | Notes |
| --- | --- | --- |
| Turn off auto-restart for updates during active hours | ![yes.](images/checkmark.png) | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| Always automatically restart at the scheduled time | ![yes.](images/checkmark.png) | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
| Specify deadline before auto-restart for update installation | ![yes.](images/checkmark.png) | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| No auto-restart with logged on users for scheduled automatic updates installations | ![yes.](images/checkmark.png) | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
| Re-prompt for restart with scheduled installations | ![no.](images/crossmark.png) | |
| Delay Restart for scheduled installations | ![no.](images/crossmark.png) | |
| Reschedule Automatic Updates scheduled installations | ![no.](images/crossmark.png) | |
| Turn off auto-restart for updates during active hours | Yes | Use this policy to configure active hours, during which the device won't be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| Always automatically restart at the scheduled time | Yes | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
| Specify deadline before auto-restart for update installation | Yes | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| No auto-restart with logged on users for scheduled automatic updates installations | Yes | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
| Re-prompt for restart with scheduled installations | No | |
| Delay Restart for scheduled installations | No | |
| Reschedule Automatic Updates scheduled installations | No | |
>[!NOTE]
@ -190,8 +187,8 @@ The following tables list registry values that correspond to the Group Policy se
| Registry key | Key type | Value |
| --- | --- | --- |
| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours</br>1: enable automatic restart after updates outside of active hours |
**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
@ -201,8 +198,8 @@ The following tables list registry values that correspond to the Group Policy se
| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time</br>1: enable automatic reboot after update installation at a scheduled time |
| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates</br>3: automatically download and notify for installation of updates</br>4: Automatically download and schedule installation of updates</br>5: allow the local admin to configure these settings</br>**Note:** To configure restart behavior, set this value to **4** |
| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on</br>1: do not reboot after an update installation if a user is logged on</br>**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable don't reboot if users are logged on</br>1: don't reboot after an update installation if a user is logged on</br>**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
There are three different registry combinations for controlling restart behavior:
@ -210,7 +207,7 @@ There are three different registry combinations for controlling restart behavior
- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, and **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
## Related articles
## More resources
- [Update Windows in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)

34
windows/deployment/update/waas-servicing-channels-windows-10-updates.md
View File

@ -1,24 +1,20 @@
---
title: Assign devices to servicing channels for Windows client updates
title: Assign devices to servicing channels for updates
description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Assign devices to servicing channels for Windows 10 updates
**Applies to**
- Windows 10
- Windows 11
# Assign devices to servicing channels for Windows updates
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@ -29,12 +25,12 @@ The General Availability Channel is the default servicing channel for all Window
| Edition | General Availability Channel | Long-Term Servicing Channel | Insider Program |
| --- | --- | --- | --- |
| Home | ![no.](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Pro | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Enterprise | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Enterprise LTSC | ![no.](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) |
| Pro Education | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Education | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Home | No | No | Yes |
| Pro | Yes | No | Yes |
| Enterprise | Yes | No | Yes |
| Enterprise LTSC | No | Yes | No |
| Pro Education | Yes | No | Yes |
| Education | Yes | No | Yes |
>[!NOTE]
@ -46,7 +42,7 @@ The General Availability Channel is the default servicing channel for all Window
## Enroll devices in the Windows Insider Program
To get started with the Windows Insider Program for Business, follows these steps:
To get started with the Windows Insider Program for Business, follow these steps:
1. On the [Windows Insider](https://www.microsoft.com/windowsinsider/for-business) website, select **Register** to register your organizational Azure AD account.
2. Follow the prompts to register your tenant.</br>**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register.

32
windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
View File

@ -2,40 +2,36 @@
title: Prepare a servicing strategy for Windows client updates
description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Prepare a servicing strategy for Windows client updates
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Heres an example of what this process might look like:
Here's an example of what this process might look like:
- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before theyre available to the General Availability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business.
- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they're available to the General Availability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate prerelease builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business.
- **Identify excluded devices.** For some organizations, special-purpose devices, like devices that control factory or medical equipment or run ATMs, require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that youre looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
- **Choose a servicing tool.** Decide which product youll use to manage the Windows updates in your environment. If youre currently using Windows Server Update Services (WSUS) or Microsoft Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product youll use, consider how youll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you're looking for feedback rather than people to just "try it out" and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain needs to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for "ADMX download for Windows build xxxx". For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
- **Choose a servicing tool.** Decide which product you'll use to manage the Windows updates in your environment. If you're currently using Windows Server Update Services (WSUS) or Microsoft Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you'll use, consider how you'll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview).
Each time Microsoft releases a feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test devices step of the previous section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase.
2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but its still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity will represent most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the “Recruit volunteers” step of the previous section. Be sure to communicate clearly that youre looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it.
3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you dont prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department.
1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier "Configure test devices" step of the previous section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase.
2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but it's still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity represents most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the "Recruit volunteers" step of the previous section. Be sure to communicate clearly that you're looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it.
3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don't prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department.