deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into commdeadline-9091858

Browse Source
This commit is contained in:
Meghan Stewart
2025-03-03 09:14:38 -08:00
parent cf3495bb8c 670803d472
commit 8089c54727
1275 changed files with 25122 additions and 8161 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
windows/deployment/update/catalog-checkpoint-cumulative-updates.md Normal file
View File

@ -0,0 +1,93 @@
---
title: Checkpoint cumulative updates and the Microsoft Update Catalog
description: This article describes how to handle checkpoint cumulative updates when you use the Microsoft Update Catalog to update devices and images.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: article
ms.author: mstewart
author: mestew
manager: aaroncz
ms.collection:
- tier2
ms.localizationpriority: medium
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 24H2 and later</a>
-<a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2025 and later</a>
ms.date: 01/31/2025
---
# Checkpoint cumulative updates and Microsoft Update Catalog usage
<!--9693727-->
Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
## Checkpoint cumulative updates
Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was released to manufacturing (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries.
With Windows 11, version 24H2, Microsoft introduced a new concept of checkpoint cumulative updates. This change allows you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update. This change means that you can save time, bandwidth, and hard drive space.
Going forward, Microsoft might periodically release cumulative updates as checkpoints. The subsequent updates will then consist of:
- The update package files associated with the checkpoints, and
- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
This process might be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device.
If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this process happens seamlessly. You can continue to use the same tools and processes that you currently use for approving and deploying updates. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates.
### Applicability
A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
### Update Windows installation media
This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
## Updating from the Microsoft Update Catalog
When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply them sequentially under certain situations, or in one go using Deployment Image Servicing and Management (DISM).
### Finding prior checkpoint cumulative updates
For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint cumulative update per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog):
> <b>Install each MSU file individually, in order</b> <p>Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order: <ul><li> windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu </li> <li>windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu </li></ul>
Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all `.msu` files and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080).
### Updating through checkpoint cumulative updates
**Device has the latest checkpoint cumulative update and doesn't need customization:**
Devices or images that have the latest checkpoint cumulative update installed and don't need Features on Demand (FoD) or language pack customization can be updated to the latest target cumulative update with no change to your existing process. You can copy the target `.msu` file from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options).
Examples of eligible devices:
| Device is on | Needs to install|
|---|---|
|<ul><li>The checkpoint cumulative update, 2024-09 (KB5043080)</li></ul>|<ul><li>A subsequent monthly security update like 2024-11 (KB5046617), or</li> <li>A subsequent optional nonsecurity release like 2024-11 (KB5046740) </li></ul>|
|<ul><li>A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or</li> <li> A subsequent monthly security update like 2024-10 (KB5044284)</li></ul>|<ul><li>A subsequent monthly security update like 2025-01 (KB5050009), or</li> <li> A subsequent optional nonsecurity release like 2024-11 (KB5046740) </li></ul>|
**Device needs FoD or language pack customization:**
Installing FoDs or language packs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or language packs for offline media, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM.
1. Copy the .msu files of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other .msu files present.
1. Mount the install.wim file.
1. Run `DISM /add-package` with the latest `.msu` file as the sole target.
1. Run `/Cleanup-Image /StartComponentCleanup`.
1. Unmount.
1. Run `DISM /export-image` to optimize the image size, if that's important to you.
**Device doesn't have the latest checkpoint cumulative update and doesn't need customization:**
Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
## Related articles
- [Servicing stack updates](/windows/deployment/update/servicing-stack-updates)
- [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities)
- [How to download updates that include drivers and hotfixes from the Microsoft Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog)
- [Update Windows installation media with Dynamic Update](media-dynamic-update.md)

2
windows/deployment/update/check-release-health.md
View File

@ -3,7 +3,7 @@ title: How to check Windows release health
description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: how-to
ms.author: mstewart
author: mestew
manager: aaroncz

2
windows/deployment/update/create-deployment-plan.md
View File

@ -3,7 +3,7 @@ title: Create a deployment plan
description: Devise the number of deployment rings you need and how you want to populate each of the deployment rings.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: install-set-up-deploy
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/eval-infra-tools.md
View File

@ -3,7 +3,7 @@ title: Evaluate infrastructure and tools
description: Review the steps to ensure your infrastructure is ready to deploy updates to clients in your organization.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/get-started-updates-channels-tools.md
View File

@ -3,7 +3,7 @@ title: Windows client updates, channels, and tools
description: Brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/how-windows-update-works.md
View File

@ -3,7 +3,7 @@ title: How Windows Update works
description: In this article, learn about the process Windows Update uses to download and install updates on Windows client devices.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz

BIN
windows/deployment/update/images/waas-active-hours.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 52 KiB

17
windows/deployment/update/includes/checkpoint-cumulative-updates.md Normal file
View File

@ -0,0 +1,17 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
ms.subservice: itpro-updates
ms.service: windows-client
ms.topic: include
ms.date: 01/31/2025
ms.localizationpriority: medium
---
<!-- This file is used multiple times in release-cycle.md. Headings are driven by article context. 9693727-->
Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of:
- The update package files associated with the checkpoints, and
- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](../catalog-checkpoint-cumulative-updates.md) for reference.

401
windows/deployment/update/media-dynamic-update.md
View File

@ -3,7 +3,7 @@ title: Update Windows installation media with Dynamic Update
description: Learn how to acquire and apply Dynamic Update packages to existing Windows images prior to deployment
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz
@ -13,7 +13,7 @@ appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server</a>
ms.date: 07/10/2024
ms.date: 1/31/2024
---
# Update Windows installation media with Dynamic Update
@ -40,8 +40,49 @@ Devices must be able to connect to the internet to obtain Dynamic Updates. In so
You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://catalog.update.microsoft.com). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. Check various parts of the results to be sure you've identified the files needed. The following tables show the key values to search for or look for in the results.
### Windows 11, version 22H2 and later Dynamic Update packages
**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update.Titles below are for Windows 11, version 22H2. Windows 11, version 23H2 and 24H2 have a similar format.
### Windows Server 2025 Dynamic Update packages
**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update.
| Update packages |Title |
|-----------------------------------|--------------------------------------------------------------------------------------|
|Safe OS Dynamic Update | YYYY-MM Safe OS Dynamic Update for Microsoft server operating system version 24H2 |
|Setup Dynamic Update | YYYY-MM Setup Dynamic Update for Microsoft server operating system version 24H2 |
|Latest cumulative update | YYYY-MM Cumulative Update for Microsoft server operating system version 24H2 |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system version 24H2 |
### Windows Server, version 23H2 Dynamic Update packages
**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. Azure Stack HCI, version 23H2 has a similar format.
| Update packages |Title |
|-----------------------------------|--------------------------------------------------------------------------------------|
|Safe OS Dynamic Update | YYYY-MM Safe OS Dynamic Update for Microsoft server operating system version 23H2 |
|Setup Dynamic Update | YYYY-MM Setup Dynamic Update for Microsoft server operating system version 23H2 |
|Latest cumulative update | YYYY-MM Cumulative Update for Microsoft server operating system version 23H2 |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system version 23H2 |
### Azure Stack HCI, version 22H2 Dynamic Update packages
**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
|Safe OS Dynamic Update | YYYY-MM Dynamic Update for Microsoft server operating system, version 22H2 |Windows Safe OS Dynamic Update | ComponentUpdate |
|Setup Dynamic Update | YYYY-MM Dynamic Update for Microsoft server operating system, version 22H2 |Windows 10 and later Dynamic Update | SetupUpdate |
|Latest cumulative update | YYYY-MM Cumulative Update for Microsoft server operating system, version 22H2 | | |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 22H2 | | |
### Windows Server 2022 later Dynamic Update packages
**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
|Safe OS Dynamic Update | YYYY-MM Dynamic Update for Microsoft server operating system, version 21H2 |Windows Safe OS Dynamic Update | ComponentUpdate |
|Setup Dynamic Update | YYYY-MM Dynamic Update for Microsoft server operating system, version 21H2 |Windows 10 and later Dynamic Update | SetupUpdate |
|Latest cumulative update | YYYY-MM Cumulative Update for Microsoft server operating system, version 21H2 | | |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 21H2 | | |
### Windows 11, version 22H2, and later Dynamic Update packages
**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. The following titles are for Windows 11, version 22H2. Windows 11, version 23H2, and version 24H2 have a similar format:
| Update packages |Title |
|-----------------------------------|---------------------------------------------------------------|
@ -50,9 +91,8 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Latest cumulative update | YYYY-MM Cumulative Update for Windows 11 Version 22H2 |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 22H2 |
### Windows 11, version 21H2 Dynamic Update packages
**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
@ -62,7 +102,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 21H2 | | |
### Windows 10, version 22H2 Dynamic Update packages
**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
@ -84,30 +124,30 @@ Properly updating the installation media involves many actions operating on seve
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding boot manager from WinPE to the new media (28).
|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
|-----------------------------------|-------------------|--------------------------------|------------------|-----------|
|Add servicing stack Dynamic Update | 1 | 9 | 17 | |
|Add language pack | 2 | 10 | 18 | |
|Add localized optional packages | 3 | | 19 | |
|Add font support | 4 | | 20 | |
|Add text-to-speech | 5 | | 21 | |
|Update Lang.ini | | | 22 | |
|Add Features on Demand | | 11 | | |
|Add Safe OS Dynamic Update | 6 | | | |
|Add Setup Dynamic Update | | | | 26 |
|Add setup.exe from WinPE | | | | 27 |
|Add boot manager from WinPE | | | | 28 |
|Add latest cumulative update | | 12 | 23 | |
|Clean up the image | 7 | 13 | 24 | |
|Add Optional Components | | 14 | | |
|Add .NET and .NET cumulative updates | | 15 | | |
|Export image | 8 | 16 | 25 | |
|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
|--------------------------------------------------------|-------------------|--------------------------------|------------------|-----------|
|Add servicing stack update via latest cumulative update | 1 | 9 | 17 | |
|Add language pack | 2 | 10 | 18 | |
|Add localized optional packages | 3 | | 19 | |
|Add font support | 4 | | 20 | |
|Add text-to-speech | 5 | | 21 | |
|Update Lang.ini | | | 22 | |
|Add Features on Demand | | 11 | | |
|Add Optional Components | | 12 | | |
|Add Safe OS Dynamic Update | 6 | | | |
|Add Setup Dynamic Update | | | | 26 |
|Add Setup.exe and setuphost.exe from WinPE | | | | 27 |
|Add boot manager from WinPE | | | | 28 |
|Add latest cumulative update | | 13 | 23 | |
|Clean up the image | 7 | 14 | 24 | |
|Add .NET and .NET cumulative updates | | 15 | | |
|Export image | 8 | 16 | 25 | |
> [!NOTE]
> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
> Starting in February 2021, the latest cumulative update and servicing stack update is combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 17 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
> [!NOTE]
> Microsoft will remove the Flash component from Windows through KB4577586, "Update for Removal of Adobe Flash Player". You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, "Update for Removal of Adobe Flash Player" will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
> Microsoft removes the Flash component from Windows through [KB4577586: Update for Removal of Adobe Flash Player](https://support.microsoft.com/kb/4577586). You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, "Update for Removal of Adobe Flash Player" will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
### Multiple Windows editions
@ -117,13 +157,13 @@ The main operating system file (install.wim) might contain multiple editions of
You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what's in your starting image. When you add more languages and features, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
Optional Components, along with the .NET feature, can be installed offline. However, doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
### Checkpoint cumulative updates
Starting with Windows 11, version 24H2, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates will be available from the download button. In addition, the knowledge base article for the cumulative update will provide additional information.
Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update might have a prerequisite cumulative update that is required to be installed first. These updates are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates are available from the download button. In addition, the knowledge base article for the cumulative update provides additional information.
To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` will be used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update will be processed. If you are not customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls cannot be used for steps 12 and 23.
To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` is used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update are processed. If you aren't customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls can't be used for steps 12 and 23.
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
@ -138,7 +178,8 @@ These examples are for illustration only, and therefore lack error handling. The
### Get started
The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only.
The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only. The script also showcases adding additional languages, Features on Demand, and Optional Components. These aren't required, but added to highlight when in the sequence they should be added. Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO is superseded by the Features on Demand ISO. Language packs and the \Windows Preinstallation Environment packages are part of the Features on Demand ISO. Further, the path for main OS language and optional features moved to \LanguagesAndOptionalFeatures instead of the root. If you're using this script for Windows 10, modify to mount and use the language pack (LANGPACK) ISO.
```powershell
#Requires -RunAsAdministrator
@ -147,40 +188,38 @@ function Get-TS { return "{0:HH:mm:ss}" -f [DateTime]::Now }
Write-Output "$(Get-TS): Starting media refresh"
# Declare language for showcasing adding optional localized components
$LANG = "ja-jp"
$LANG_FONT_CAPABILITY = "jpan"
# Declare media for FOD and LPs
# Note: Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO has been superseded by the FOD ISO.
# Language packs and the \Windows Preinstallation Environment packages are part of the LOF ISO.
# If you are using this script for Windows 10, modify to mount and use the LANGPACK ISO.
$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
# Declare Dynamic Update packages. A dedicated folder is used for the latest cumulative update, and as needed
# checkpoint cumulative updates.
$LCU_PATH = "C:\mediaRefresh\packages\CU\LCU.msu"
$SSU_PATH = "C:\mediaRefresh\packages\Other\SSU_DU.msu"
$SETUP_DU_PATH = "C:\mediaRefresh\packages\Other\Setup_DU.cab"
$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\Other\SafeOS_DU.cab"
$DOTNET_CU_PATH = "C:\mediaRefresh\packages\Other\DotNet_CU.msu"
# Declare folders for mounted images and temp files
$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
$WORKING_PATH = "C:\mediaRefresh\temp"
$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
# Declare media for FOD and LPs
$FOD_ISO_PATH = "C:\mediaRefresh\packages\CLIENT_LOF_PACKAGES_OEM.iso"
# Array of Features On Demand for main OS
# This is optional to showcase where these are added
$FOD = @(
'XPS.Viewer~~~~0.0.1.0'
)
# Array of Legacy Features for main OS
# This is optional to showcase where these are added
$OC = @(
'MediaPlayback'
'WindowsMediaPlayer'
)
# Mount the Features on Demand ISO
Write-Output "$(Get-TS): Mounting FOD ISO"
$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
# Note: Starting with Windows 11, version 21H2, the correct path for main OS language and optional features
# moved to \LanguagesAndOptionalFeatures instead of the root. For Windows 10, use $FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\LanguagesAndOptionalFeatures"
# Declare language for showcasing adding optional localized components
$LANG = "ja-jp"
$LANG_FONT_CAPABILITY = "jpan"
# Declare language related cabs
$WINPE_OC_PATH = "$FOD_ISO_DRIVE_LETTER`:\Windows Preinstallation Environment\x64\WinPE_OCs"
$WINPE_OC_LANG_PATH = "$WINPE_OC_PATH\$LANG"
@ -191,6 +230,14 @@ $WINPE_SPEECH_TTS_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS.cab"
$WINPE_SPEECH_TTS_LANG_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS-$LANG.cab"
$OS_LP_PATH = "$FOD_PATH\Microsoft-Windows-Client-Language-Pack_x64_$LANG.cab"
# Declare folders for mounted images and temp files
$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia\Ge\client_professional_en-us"
$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
$WORKING_PATH = "C:\mediaRefresh\temp"
$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
# Create folders for mounting images and storing temporary files
New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null
New-Item -ItemType directory -Path $MAIN_OS_MOUNT -ErrorAction stop | Out-Null
@ -201,15 +248,16 @@ New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Copying original media to new media path"
Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
```
### Update WinRE and each main OS Windows edition
The script will update each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
The script updates each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack via the latest cumulative update, since its components are used for updating other components. Depending on the Windows release that you're updating, there are two different approaches for updating the servicing stack. The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that includes the servicing stack updates (that is, SSU + LCU are combined). Windows 11, version 21H2, and Windows 11, version 22H2 are examples. In these cases, the servicing stack update isn't published separately; the combined cumulative update should be used for this step. However, in rare cases, there might be a breaking change in the combined cumulative update format change, that requires a standalone servicing stack update to be published, and installed first before the combined cumulative update can be installed. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
Next, for the mounted OS image, the script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image. You can install Optional Components, along with the .NET feature, offline, but that requires the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
Next, for the mounted OS image, the script starts by applying the servicing stack via the latest cumulative update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then attempts to clean the image, then a final step to apply the latest cumulative update. It's important to apply the latest cumulative update last, to ensure Features on Demand, Optional Components, and Languages are updated from their initial release state. The .NET feature is an exception that's added along with its cumulative update next. Finally, the script exports the image.
This process is repeated for each edition of Windows within the main operating system file. To reduce size, the serviced Winre.wim file from the first image is saved, and used to update each subsequent Windows edition. This reduces the final size of install.wim.
@ -222,13 +270,15 @@ This process is repeated for each edition of Windows within the main operating s
# Get the list of images contained within the main OS
$WINOS_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim"
Foreach ($IMAGE in $WINOS_IMAGES) {
Foreach ($IMAGE in $WINOS_IMAGES)
{
# first mount the main OS image
Write-Output "$(Get-TS): Mounting main OS, image index $($IMAGE.ImageIndex)"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index $IMAGE.ImageIndex -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
if ($IMAGE.ImageIndex -eq "1") {
if ($IMAGE.ImageIndex -eq "1")
{
#
# update Windows Recovery Environment (WinRE) within this OS image
@ -238,29 +288,9 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update (Step 1 from the table)
# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
# cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
# cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
# cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
# combined cumulative update can be installed.
# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
# Write-Output "$(Get-TS): Adding package $SSU_PATH"
# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
# Now, attempt the combined cumulative update.
# There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should
# be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct
# packages installed.
Write-Output "$(Get-TS): Adding package $LCU_PATH to WinRE"
try
{
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
}
Catch
@ -268,38 +298,36 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
$theError = $_
Write-Output "$(Get-TS): $theError"
if ($theError.Exception -like "*0x8007007e*") {
Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
if ($theError.Exception -like "*0x8007007e*")
{
Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore."
}
else {
else
{
throw
}
}
# The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
# update. This second approach is commented out below.
# Write-Output "$(Get-TS): Adding package $SSU_PATH"
# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
#
# Optional: Add the language to recovery environment
#
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
$WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
Foreach ($PACKAGE in $WINRE_INSTALLED_OC)
{
if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
{
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
if ($INDEX -ge 0) {
if ($INDEX -ge 0)
{
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
{
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
@ -309,15 +337,17 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
}
# Add font support for the new language
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
{
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
# Add TTS support for the new language
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
{
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
{
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
@ -333,6 +363,10 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinRE"
DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
if ($LastExitCode -ne 0)
{
throw "Error: Failed to perform image cleanup on WinRE. Exit code: $LastExitCode"
}
# Dismount
Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
@ -349,35 +383,15 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# update Main OS
#
# Add servicing stack update (Step 18 from the table)
# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
# includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
# cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
# rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
# and installed first before the combined cumulative update can be installed.
# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
# Write-Output "$(Get-TS): Adding package $SSU_PATH"
# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
# Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
# Add servicing stack update (Step 17 from the table). Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
# The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
# update. This second approach is commented out below.
# Write-Output "$(Get-TS): Adding package $SSU_PATH to main OS, index $($IMAGE.ImageIndex)"
# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
# Optional: Add language to main OS
# Optional: Add language to main OS and corresponding language experience Features on Demand
Write-Output "$(Get-TS): Adding package $OS_LP_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
# Optional: Add a Features on Demand to the image
Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
@ -396,22 +410,47 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
Write-Output "$(Get-TS): Adding language FOD: Language.Speech~~~$LANG~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
# Note: If I wanted to enable additional Features on Demand, I'd add these here.
# Optional: Add additional Features On Demand
For ( $index = 0; $index -lt $FOD.count; $index++)#
{
Write-Output "$(Get-TS): Adding $($FOD[$index]) to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name $($FOD[$index]) -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
}
# Optional: Add Legacy Features
For ( $index = 0; $index -lt $OC.count; $index++)
{
Write-Output "$(Get-TS): Adding $($OC[$index]) to main OS, index $($IMAGE.ImageIndex)"
DISM /Image:$MAIN_OS_MOUNT /Enable-Feature /FeatureName:$($OC[$index]) /All | Out-Null
if ($LastExitCode -ne 0)
{
throw "Error: Failed to add $($OC[$index]) to main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
}
}
# Add latest cumulative update
Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
# Perform image cleanup
# Perform image cleanup. Some Optional Components might require the image to be booted, and thus
# image cleanup may fail. We'll catch and handle as a warning.
Write-Output "$(Get-TS): Performing image cleanup on main OS, index $($IMAGE.ImageIndex)"
DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
if ($LastExitCode -ne 0)
{
if ($LastExitCode -eq -2146498554)
{
# We hit 0x800F0806 CBS_E_PENDING. We will ignore this with a warning
# This is likely due to legacy components being added that require online operations.
Write-Warning "$(Get-TS): Failed to perform image cleanup on main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode. The operation cannot be performed until pending servicing operations are completed. The image must be booted to complete the pending servicing operation."
}
else
{
throw "Error: Failed to perform image cleanup on main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
}
}
#
# Note: If I wanted to enable additional Optional Components, I'd add these here.
# In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
#
# Finally, we'll add .NET 3.5 and the .NET cumulative update
Write-Output "$(Get-TS): Adding NetFX3~~~~ to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
@ -425,7 +464,6 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# Export
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
}
Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
@ -434,7 +472,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc
### Update WinPE
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the \sources\setup.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we save setup.exe and setuphost.exe for later use, to ensure these versions matches the \sources\setup.exe and \sources\setuphost.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
```powershell
#
@ -444,31 +482,14 @@ This script is similar to the one that updates WinRE, but instead it mounts Boot
# Get the list of images contained within WinPE
$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
Foreach ($IMAGE in $WINPE_IMAGES) {
Foreach ($IMAGE in $WINPE_IMAGES)
{
# update WinPE
Write-Output "$(Get-TS): Mounting WinPE, image index $($IMAGE.ImageIndex)"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update (Step 9 from the table)
# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
# cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published separately; the combined
# cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
# cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
# combined cumulative update can be installed.
# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
# Write-Output "$(Get-TS): Adding package $SSU_PATH"
# Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
# Now, attempt the combined cumulative update.
# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
# This error should be caught and ignored, as the last step will be to apply the cumulative update
# (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
try
{
Write-Output "$(Get-TS): Adding package $LCU_PATH to WinPE, image index $($IMAGE.ImageIndex)"
@ -478,38 +499,34 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
{
$theError = $_
Write-Output "$(Get-TS): $theError"
if ($theError.Exception -like "*0x8007007e*") {
Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
if ($theError.Exception -like "*0x8007007e*")
{
Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore."
}
else {
else
{
throw
}
}
# The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update
# but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
# update. This second approach is commented out below.
# Write-Output "$(Get-TS): Adding package $SSU_PATH"
# Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
$WINPE_INSTALLED_OC = Get-WindowsPackage -Path $WINPE_MOUNT
Foreach ($PACKAGE in $WINPE_INSTALLED_OC) {
if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
Foreach ($PACKAGE in $WINPE_INSTALLED_OC)
{
if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
{
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
if ($INDEX -ge 0) {
if ($INDEX -ge 0)
{
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
{
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
}
@ -518,15 +535,17 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
}
# Add font support for the new language
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
{
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
# Add TTS support for the new language
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
{
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
{
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
@ -536,9 +555,14 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
}
# Generates a new Lang.ini file which is used to define the language packs inside the image
if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) {
if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") )
{
Write-Output "$(Get-TS): Updating lang.ini"
DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
if ($LastExitCode -ne 0)
{
throw "Error: Failed to update lang.ini. Exit code: $LastExitCode"
}
}
# Add latest cumulative update
@ -548,28 +572,31 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinPE, image index $($IMAGE.ImageIndex)"
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
if ($LastExitCode -ne 0)
{
throw "Error: Failed to perform image cleanup on WinPE, image index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
}
if ($IMAGE.ImageIndex -eq "2") {
if ($IMAGE.ImageIndex -eq "2")
{
# Save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -ErrorAction stop | Out-Null
# Save setuphost.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
# This is only required starting with Windows 11 version 24H2
$TEMP = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex
if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100") {
if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100")
{
Copy-Item -Path $WINPE_MOUNT"\sources\setuphost.exe" -Destination $WORKING_PATH"\setuphost.exe" -Force -ErrorAction stop | Out-Null
}
else {
else
{
Write-Output "$(Get-TS): Skipping copy of setuphost.exe; image version $($TEMP.Version)"
}
# Save serviced boot manager files later copy to the root media.
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgfw.efi" -Destination $WORKING_PATH"\bootmgfw.efi" -Force -ErrorAction stop | Out-Null
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgr.efi" -Destination $WORKING_PATH"\bootmgr.efi" -Force -ErrorAction stop | Out-Null
}
# Dismount
@ -578,15 +605,15 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
#Export WinPE
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
}
Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
```
### Update remaining media files
This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe and boot manager files using the previously saved versions from WinPE.
This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe, setuphost.exe, and boot manager files using the previously saved versions from WinPE.
```powershell
#
@ -596,14 +623,18 @@ This part of the script updates the Setup files. It simply copies the individual
# Add Setup DU by copy the files from the package into the newMedia
Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH"
cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null
if ($LastExitCode -ne 0)
{
throw "Error: Failed to expand $SETUP_DU_PATH. Exit code: $LastExitCode"
}
# Copy setup.exe from boot.wim, saved earlier.
Write-Output "$(Get-TS): Copying $WORKING_PATH\setup.exe to $MEDIA_NEW_PATH\sources\setup.exe"
Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -ErrorAction stop | Out-Null
# Copy setuphost.exe from boot.wim, saved earlier.
if (Test-Path -Path $WORKING_PATH"\setuphost.exe") {
if (Test-Path -Path $WORKING_PATH"\setuphost.exe")
{
Write-Output "$(Get-TS): Copying $WORKING_PATH\setuphost.exe to $MEDIA_NEW_PATH\sources\setuphost.exe"
Copy-Item -Path $WORKING_PATH"\setuphost.exe" -Destination $MEDIA_NEW_PATH"\sources\setuphost.exe" -Force -ErrorAction stop | Out-Null
}
@ -611,16 +642,15 @@ if (Test-Path -Path $WORKING_PATH"\setuphost.exe") {
# Copy bootmgr files from boot.wim, saved earlier.
$MEDIA_NEW_FILES = Get-ChildItem $MEDIA_NEW_PATH -Force -Recurse -Filter b*.efi
Foreach ($File in $MEDIA_NEW_FILES){
Foreach ($File in $MEDIA_NEW_FILES)
{
if (($File.Name -ieq "bootmgfw.efi") -or ($File.Name -ieq "bootx64.efi") -or ($File.Name -ieq "bootia32.efi") -or ($File.Name -ieq "bootaa64.efi"))
{
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgfw.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgfw.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null
}
elseif ($File.Name -ieq "bootmgr.efi")
{
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgr.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgr.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null
}
@ -645,4 +675,5 @@ Write-Output "$(Get-TS): Dismounting ISO images"
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Media refresh completed!"
```

14
windows/deployment/update/optional-content.md
View File

@ -3,7 +3,7 @@ title: Migrating and acquiring optional Windows content
description: How to keep language resources and Features on Demand during operating system updates for your organization.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
@ -70,9 +70,9 @@ Most commercial organizations understand the pain points outlined above, and dis
Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios just work when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back.
The [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.
The [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.
Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) and the [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002).
Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/blog/windows-itpro-blog/upgrading-windows-10-devices-with-installation-media-different-than-the-original/746126).
### Option 2: Use WSUS with UUP Integration
@ -115,7 +115,7 @@ You can customize the Windows image in these ways:
- Adding or removing languages
- Adding or removing Features on Demand
The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and the [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-windows-10-media-with-dynamic-update-packages/982477). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
### Option 5: Install language features during deployment
@ -151,11 +151,9 @@ For more information about the Unified Update Platform and the approaches outlin
- [/DynamicUpdate](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate)
- [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source)
- [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions)
- [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/)
- [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/)
- [Updating Windows installation media with Dynamic Update packages](media-dynamic-update.md)
- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
- [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073)
- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)
- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
## Sample scripts

2
windows/deployment/update/plan-define-readiness.md
View File

@ -3,7 +3,7 @@ title: Define readiness criteria
description: Identify important roles and figure out how to classify apps so you can plan and manage your deployment
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/plan-define-strategy.md
View File

@ -3,7 +3,7 @@ title: Define update strategy
description: Example of using a calendar-based approach to achieve consistent update installation in your organization.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz

18
windows/deployment/update/release-cycle.md
View File

@ -1,9 +1,9 @@
---
title: Update release cycle for Windows clients
description: Learn about the release cycle forupdates so Windows clients in your organization stay productive and protected.
description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 06/04/2024
ms.date: 01/31/2025
---
# Update release cycle for Windows clients
@ -54,6 +54,9 @@ Monthly security update releases are available through the following channels:
Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
<!--Using include for checkpoint cumulative updates-->
[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
## Optional nonsecurity preview release
**Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. **Optional nonsecurity preview releases** are typically released on the fourth Tuesday of the month at 10:00 AM Pacific Time (PST/PDT). These releases are only offered to the most recent, supported versions of Windows.
@ -66,10 +69,14 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
- LCU preview
To access the optional nonsecurity preview release:
- Navigate to**Settings** > **Update & Security** > **Windows Update**and select**Check for updates**.
- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**.
- Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
- Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
<!--Using include for checkpoint cumulative updates-->
[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
## OOB releases
**Out-of-band (OOB) releases** might be provided to fix a recently identified issue or vulnerability. They're used in atypical cases when an issue is detected and can't wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices. **Out-of-band (OOB) releases** are provided outside of the monthly schedule when there's an exceptional need.
@ -83,6 +90,9 @@ Some key considerations about OOB releases include:
- Critical OOB releases are automatically available to WSUS and Windows Update for Business, just like the monthly security update releases.
- Some OOB releases are classified as noncritical.
- Noncritical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
<!--Using include for checkpoint cumulative updates-->
[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
## Continuous innovation for Windows 11

2
windows/deployment/update/safeguard-holds.md
View File

@ -3,7 +3,7 @@ title: Safeguard holds for Windows
description: What are safeguard holds? How to can you tell if a safeguard hold is in effect, and what to do about it.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/safeguard-opt-out.md
View File

@ -3,7 +3,7 @@ title: Opt out of safeguard holds
description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz

45
windows/deployment/update/servicing-stack-updates.md
View File

@ -3,7 +3,7 @@ title: Servicing stack updates
description: In this article, learn how servicing stack updates improve the code that installs the other updates.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
@ -15,48 +15,31 @@ appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server </a>
ms.date: 12/08/2023
ms.date: 1/22/2025
---
# Servicing stack updates
## What is a servicing stack update?
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the component-based servicing stack (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. [CBS](https://techcommunity.microsoft.com/t5/ask-the-performance-team/understanding-component-based-servicing/ba-p/373012) is a small component that typically doesn't have updates released every month.
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the component-based servicing stack (CBS), which is a key underlying component for several elements of Windows deployment, such as:
## Why should servicing stack updates be installed and kept up to date?
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't have the latest servicing stack update installed, there's a risk that your device can't be updated with the latest Microsoft security fixes.
- Deployment Image Servicing and Management (DISM)
- System File Checker (SFC)
- Changing Windows features or roles
- Component repair
## When are they released?
Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions, a servicing stack update might need to be released out of band to address an issue impacting systems installing the monthly security update. New servicing stack updates are classified as `Security` with a severity rating of `Critical`.
[CBS](https://techcommunity.microsoft.com/t5/ask-the-performance-team/understanding-component-based-servicing/ba-p/373012) is a small component that typically doesn't have updates released every month.
## What's the difference between a servicing stack update and a cumulative update?
Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. A servicing stack update improves the reliability of the update process to mitigate potential issues while installing the latest monthly security update release and feature updates.
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest monthly security update release and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
Microsoft publishes all cumulative updates and servicing stack updates for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in Windows Server Update Services (WSUS).
## Is there any special guidance?
Typically, the improvements are reliability and performance improvements that don't require any specific special guidance. If there's any significant impact, it will be present in the release notes.
Most users don't need to install an isolated servicing stack update. In the rare case that you need to install an isolated servicing stack update, Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
## Installation notes
* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
* Installing servicing stack update doesn't require restarting the device, so installation shouldn't be disruptive.
* Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
* Servicing stack updates can be delivered with Windows Update, or you can perform a search to install the latest available at [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001).
* Once a servicing stack update is installed, it can't be removed or uninstalled from the machine.
## Simplifying on-premises deployment of servicing stack updates
With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update includes the latest servicing stack updates, to provide a single cumulative update payload to both WSUS and the Microsoft Update Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you'll only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update is available on Windows 10, version 2004 and later starting with [KB4601382](https://support.microsoft.com/kb/4601382), released in February of 2021.
Starting in February 2021, the cumulative update includes the latest servicing stack updates, providing a single combined cumulative update payload for Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. This combined monthly cumulative update is available on Windows 10, version 2004 and later starting with [KB4601382](https://support.microsoft.com/kb/4601382). If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you only have to select and deploy the monthly cumulative update. The latest servicing stack updates are automatically applied correctly. Release notes and file information for cumulative updates, including notes and information related to the servicing stack, are in a single KB article.
## When are they released?
Changes in the servicing stack are developed and released as part of the monthly cumulative update depending on new issues or vulnerabilities. In rare occasions, a prerequisite servicing stack update might need to be released out of band to address an issue impacting systems installing the monthly cumulative update. Out of band servicing stack updates are classified as Security with a severity rating of Critical.

2
windows/deployment/update/update-baseline.md
View File

@ -3,7 +3,7 @@ title: Windows 10 Update Baseline
description: Use an update baseline to optimize user experience and meet monthly update goals in your organization.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz

20
windows/deployment/update/update-policies.md
View File

@ -3,12 +3,12 @@ title: Policies for update compliance and user experience
description: Explanation and recommendations for update compliance, activity, and user experience for your organization.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
appliesto:
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
@ -16,7 +16,7 @@ ms.date: 12/31/2017
# Policies for update compliance, activity, and user experience
Keeping devices up to date is the best way to keep them working smoothly and securely.
Keeping devices up to date is the best way to keep them working smoothly and securely.
## Deadlines for update compliance
@ -94,7 +94,7 @@ options must be **Disabled** in order to take advantage of intelligent active ho
If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update
velocity:
- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following polices to **Disabled**:
- [Delay automatic reboot](waas-restart.md#delay-automatic-restart). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following policies to **Disabled**:
- **Turn off auto-restart during active hours**
- **No auto-restart with logged on users for scheduled automatic updates**
@ -110,7 +110,7 @@ updates will occur, so we recommend that you set this policy to **Disabled**, to
- [Update/EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-csp-update#update-engagedrestarttransitionschedule)
- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you're using Microsoft Intune, setting the value to [Reset to Default](/mem/intune/protect/windows-update-settings#user-experience-settings).
- **Allow auto Windows Update to download over metered networks**. Since more devices primarily use cellular data and don't have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting doesn't allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they're connected to the internet or not, provided they have cellular service.
- **Allow auto Windows Update to download over metered networks**. Since more devices primarily use cellular data and don't have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting doesn't allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they're connected to the internet or not, provided they have cellular service.
> [!IMPORTANT]
> Older versions of Windows don't support intelligent active hours. If your device runs a version of Windows prior to Windows 10, version 1903, we recommend setting the following policies:
@ -119,7 +119,7 @@ this value to **10**.
>- [Schedule update installation](waas-restart.md#schedule-update-installation). In the **Configure Automatic Updates** settings, there are two ways to control a forced restart after a specified installation time. If you use **schedule update installation**, do not enable both settings because they will most likely conflict.
> - **Specify automatic maintenance time**. This setting lets you set broader maintenance windows for updates and ensures that this schedule does not conflict with active hours. We
recommend setting this value to **3** (corresponding to 3 AM). If 3:00 AM is in the middle of the work shift, pick another time that is at least a couple hours before your scheduled work time begins.
> - **Schedule the install time**. This setting allows you to schedule an installation time for a restart. We do *not* recommend you set this to **Disabled** as it could conflict with active hours.
> - **Schedule the install time**. This setting allows you to schedule an installation time for a restart. We do *not* recommend you set this to **Disabled** as it could conflict with active hours.
### Power policies
@ -166,7 +166,7 @@ The default timeout on devices that support traditional sleep is set to three ho
## Old or conflicting policies
Each release of Windows client can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions.
Each release of Windows client can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions.
> [!IMPORTANT]
> If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are
@ -174,7 +174,7 @@ Each release of Windows client can introduce new policies to make the experience
As administrators, you have set up and expect certain behaviors, so we expressly don't remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected.
> [!IMPORTANT]
> [!IMPORTANT]
> We sometimes find that administrators set devices to get both Group Policy settings and MDM settings from an MDM server such as Microsoft Intune. Policy conflicts are handled differently, depending on how they are ultimately set up:
> - Windows updates: Group Policy settings take precedence over MDM.
> - Microsoft Intune: If you set different values for the same policy on two different groups, you will
@ -183,7 +183,7 @@ As administrators, you have set up and expect certain behaviors, so we expressly
> expected. For example, if a device is not reacting to your MDM policy changes, check to see if a similar
> policy is set in Group Policy with a differing value.
> If you find that update velocity is not as high as you expect or if some devices are slower than others, it might be
> time to clear all polices and settings and specify only the recommended update policies. See the Policy and settings reference for a consolidated list of recommended polices.
> time to clear all policies and settings and specify only the recommended update policies. See the Policy and settings reference for a consolidated list of recommended policies.
The following are policies that you might want to disable because they could decrease update velocity or there are better policies to use that might conflict:
- **Defer Feature Updates Period in Days**. For maximum update velocity, it's best to set this to **0** (no
@ -194,4 +194,4 @@ Updates** rather than setting a deferral policy. You can choose a longer period
- **Pause Quality Updates Start Time**. Set to **Disabled** unless there's a known issue requiring time for a resolution.
- **Deadline No Auto Reboot**. Default is **Disabled - Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart.
There are also additional policies are no longer supported or have been superseded.
There are also additional policies that are no longer supported or have been superseded.

2
windows/deployment/update/waas-branchcache.md
View File

@ -3,7 +3,7 @@ title: Configure BranchCache for Windows client updates
description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/waas-configure-wufb.md
View File

@ -6,7 +6,7 @@ ms.service: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
ms.topic: conceptual
ms.topic: article
ms.subservice: itpro-updates
ms.collection:
- tier1

2
windows/deployment/update/waas-integrate-wufb.md
View File

@ -3,7 +3,7 @@ title: Integrate Windows Update for Business
description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: integration
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/waas-quick-start.md
View File

@ -3,7 +3,7 @@ title: Quick guide to Windows as a service
description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz

207
windows/deployment/update/waas-restart.md
View File

@ -1,6 +1,6 @@
---
title: Manage device restarts after updates
description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows update is installed.
description: Use group policy settings, mobile device management (MDM), or registry to configure when devices will restart after a Windows update is installed.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
@ -14,38 +14,42 @@ ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 10/10/2023
ms.date: 10/25/2024
---
# Manage device restarts after updates
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2)
You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts won't occur, or you can do both.
You can use group policy settings, mobile device management (MDM), or the Windows registry to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts shouldn't occur, or you can do both.
> [!NOTE]
> Directly editing the Windows registry isn't recommended.
## Schedule update installation
In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time.
In group policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time.
To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation occurs during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
To set the time, go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then use **Scheduled install time** to enter a time. Alternatively, you can specify that installation occurs during the automatic maintenance time. To configure this alternative method, use **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**.
**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
The setting to **Always automatically restart at the scheduled time** forces a restart after the specified installation time. It lets you configure a timer to warn a signed-in user that a restart is going to occur.
While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur.
While not recommended, you can achieve the same result with the Windows registry. Under `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU`, set `AuOptions` to `4` and set the install time with `ScheduledInstallTime`. Enable `AlwaysAutoRebootAtScheduledTime` and specify the delay in minutes through `AlwaysAutoRebootAtScheduledTimeMinutes`. Similar to group policy, `AlwaysAutoRebootAtScheduledTimeMinutes` sets the timer to warn a signed-in user that a restart is going to occur.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
## Delay automatic reboot
## Delay automatic restart
When **Configure Automatic Updates** is enabled in Group Policy, you can also enable one of the following policies to delay an automatic reboot after update installation:
When you enable **Configure Automatic Updates** in group policy, you can also enable one of the following policies to delay an automatic restart after update installation:
- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device restarts at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device restarts at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4 - Auto download and schedule the install**.
> [!NOTE]
> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted.
> When using Remote Desktop Protocol (RDP) connections, only active RDP sessions are considered signed-in users. Devices that don't have locally signed-in users, or active RDP sessions, are restarted.
You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it overrides this setting.
You can also use the Windows registry, to prevent automatic restarts when a user is signed in. Under `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU`, set `AuOptions` to `4` and enable `NoAutoRebootWithLoggedOnUsers`. As with group policy, if a user schedules the restart in the update notification, it overrides this setting.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
@ -53,166 +57,177 @@ For a detailed description of these registry keys, see [Registry keys used to ma
*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update occur outside of the active hours.
By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
By default, active hours are from 8 AM to 5 PM on PCs. Users can manually change the active hours.
Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range is counted from the active hours start time.
You can also specify the max active hours range. The specified range is counted from the active hours start time.
Administrators can use multiple ways to set active hours for managed devices:
### Configure active hours with group policy
- You can use Group Policy, as described in the procedure that follows.
- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm).
- While not recommended, you can also configure active hours, as described in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
To configure active hours using group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
### Configuring active hours with Group Policy
:::image type="content" source="images/waas-active-hours-policy.png" alt-text="A screenshot of the group policy setting to 'Turn off auto-restart for updates during active hours' set to Enabled and the default active hours specified." lightbox="images/waas-active-hours-policy.png":::
To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
### Configure active hours with MDM
![Use Group Policy to configure active hours.](images/waas-active-hours-policy.png)
To configure active hours, MDM uses the following settings in the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update):
### Configuring active hours with MDM
- [ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#activehoursstart)
- [ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#activehoursend)
- [ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#activehoursmaxrange)
MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#Update_ActiveHoursEnd) and [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) settings in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) to configure active hours.
### Configure active hours through the Windows registry
### Configuring active hours through Registry
This method isn't recommended, and should only be used when you can't use Group Policy or MDM.
Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
This method isn't recommended, and should only be used when you can't use group policy or MDM. Any settings configured through the registry might conflict with any existing configuration that uses any of the other methods.
Configure active hours by setting a combination of the following registry values:
Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart** and **ActiveHoursEnd** to specify the range of active hours.
Under `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate` use `SetActiveHours` to enable or disable active hours and `ActiveHoursStart` and `ActiveHoursEnd` to specify the range of active hours.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
>[!NOTE]
>To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
>
>![Change active hours.](images/waas-active-hours.png)
> [!TIP]
> To manually configure active hours on a device, go to **Settings** > **Windows Update** > **Advanced options** and select **Active hours**.
### Configuring active hours max range
### Configure active hours maximum range
With Windows 10, version 1703, administrators can specify the max active hours range users can set. This option gives you additional flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updating. The max range is calculated from active hours start time.
You can specify the maximum active hours range that users can set. This option gives you flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updates to install. The maximum range is calculated from the active hours start time.
To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**.
To configure the maximum range for active hours through group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the setting to **Specify active hours range for auto-restarts**.
To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRange**](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange).
To configure the maximum range for active hours through MDM, use [ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#activehoursmaxrange).
## Limit restart delays
After an update is installed, Windows attempts automatic restart outside of active hours. If the restart doesn't succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between 2 and 14.
After Windows installs an update, it attempts to automatically restart outside of active hours. If the restart doesn't succeed after a default period of seven days, the user sees a notification that a restart is required. To change the delay, use the setting to **Specify deadline before auto-restart for update installation**. The minimum value is two days and the maximum value is two weeks (14 days).
## Control restart notifications
### Display options for update notifications
Starting in Windows 10 version 1809, you can define which Windows Update notifications are displayed to the user. This policy doesn't control how and when updates are downloaded and installed. You can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
You can define which Windows Update notifications are displayed to the user. This policy doesn't control how and when updates are downloaded and installed.
**0** (default) - Use the default Windows Update notifications </br>
**1** - Turn off all notifications, excluding restart warnings </br>
**2** - Turn off all notifications, including restart warnings </br>
To configure this behavior through group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the policy for **Display options for update notifications**. Configure the following values:
To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-configuration-service-provider#update-updatenotificationlevel).
- `0` (default): Use the default Windows Update notifications.
- `1`: Turn off most notifications but keep restart warnings.
- `2`: Turn off all notifications including restart warnings.
Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured. <!--6286260-->
To configure this behavior through MDM, use [UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#updatenotificationlevel).
To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-csp-update#update-NoUpdateNotificationDuringActiveHours).
Starting in Windows 11, version 22H2, **Apply only during active hours** was added as another option for **Display options for update notifications**. When you select **Apply only during active hours**, the notifications are only disabled during active hours when you use options `1` or `2`. To ensure that the device stays updated, a notification is still shown during active hours if you select **Apply only during active hours**, and once a deadline is reached when you configure [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md). <!--6286260-->
### Auto restart notifications
To configure this behavior through MDM, use [UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#updatenotificationlevel).
Administrators can override the default behavior for the auto restart required notification. By default, this notification dismisses automatically. This setting was added in Windows 10, version 1703.
### Automatic restart notifications
To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
You can override the default behavior for the automatic restart required notification. By default, this notification dismisses automatically.
To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](/windows/client-management/mdm/policy-configuration-service-provider#update-AutoRestartRequiredNotificationDismissal)
- To configure this behavior through group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the policy to **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
You can also configure the period prior to an update that this notification shows up. The default value is 15 minutes.
- To configure this behavior through MDM, use [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-csp-update#autorestartrequirednotificationdismissal).
To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
You can also configure the period before an update that this notification shows up. The default value is 15 minutes.
To change it through MDM, use [**Update/AutoRestartNotificationSchedule**](/windows/client-management/mdm/policy-configuration-service-provider#update-AutoRestartNotificationSchedule).
- To change it through group policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
- To change it through MDM, use [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-csp-update#autorestartnotificationschedule).
In some cases, you don't need a notification to show up.
To do so through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Turn off auto-restart notifications for update installations**.
- To do so through group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the setting to **Turn off auto-restart notifications for update installations**.
To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable).
- To do so through MDM, use [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-csp-update#setautorestartnotificationdisable).
### Scheduled auto restart warnings
### Scheduled automatic restart warnings
Since users aren't able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
Since users aren't able to postpone a scheduled restart once the deadline is reached, you can configure a warning reminder before the scheduled restart. You can also configure a warning before the restart, to notify users once the restart is imminent and allow them to save their work.
To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto restart can be configured by **Warning (mins)**.
To configure both through group policy, find the setting to **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning before an imminent automatic restart can be configured by **Warning (mins)**.
In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleRestartWarning) and the auto restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleImminentRestartWarning).
In MDM, to configure the warning reminder, use [ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#schedulerestartwarning). To configure the automatic restart imminent warning, use [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#scheduleimminentrestartwarning).
### Engaged restart
Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows auto-restarts outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts.
Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows auto-restarts outside of working hours. Once the default seven day period ends, Windows transitions to user scheduled restarts.
The following settings can be adjusted for engaged restart:
* Period of time before auto restart transitions to engaged restart.
* The number of days that users can snooze engaged restart reminder notifications.
* The number of days before a pending restart automatically executes outside of working hours.
You can adjust the following settings for engaged restart:
In Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and pick **Specify Engaged restart transition and notification schedule for updates**.
- Period of time before automatic restart transitions to engaged restart.
In MDM, use [**Update/EngagedRestartTransitionSchedule**](/windows/client-management/mdm/policy-configuration-service-provider#update-EngagedRestartTransitionSchedule), [**Update/EngagedRestartSnoozeSchedule**](/windows/client-management/mdm/policy-configuration-service-provider#update-EngagedRestartSnoozeSchedule) and [**Update/EngagedRestartDeadline**](/windows/client-management/mdm/policy-configuration-service-provider#update-EngagedRestartDeadline) respectively.
- The number of days that users can snooze engaged restart reminder notifications.
## Group Policy settings for restart
- The number of days before a pending restart automatically executes outside of working hours.
In the Group Policy editor, you'll see policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
In group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and use the setting to **Specify engaged restart transition and notification schedule for updates**.
In MDM, use the following policies:
- [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-csp-update#engagedrestarttransitionschedule)
- [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-csp-update#engagedrestartsnoozeschedule)
- [EngagedRestartDeadline](/windows/client-management/mdm/policy-csp-update#engagedrestartdeadline)
## Group policy settings for restart
In the group policy editor, the policy settings for restart behavior are in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
| Policy | Applies to Windows 10 | Notes |
| --- | --- | --- |
| Turn off auto-restart for updates during active hours | Yes | Use this policy to configure active hours, during which the device won't be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| Turn off auto-restart for updates during active hours | Yes | Use this policy to configure active hours, during which the device won't restart. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| Always automatically restart at the scheduled time | Yes | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
| Specify deadline before auto-restart for update installation | Yes | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| No auto-restart with logged on users for scheduled automatic updates installations | Yes | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
| No auto-restart with logged on users for scheduled automatic updates installations | Yes | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when you configure the policy to **Configure Automatic Updates** to schedule the installation. |
| Re-prompt for restart with scheduled installations | No | |
| Delay Restart for scheduled installations | No | |
| Reschedule Automatic Updates scheduled installations | No | |
>[!NOTE]
>You can only choose one path for restart behavior.
>If you set conflicting restart policies, the actual restart behavior may not be what you expected.
>When using RDP, only active RDP sessions are considered as logged on users.
> [!NOTE]
>
> - You can only choose one path for restart behavior.
> - If you set conflicting restart policies, the actual restart behavior may not be what you expected.
> - When using RDP, only active RDP sessions are considered as signed-in users.
## Registry keys used to manage restart
The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.
**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
The following tables list registry values that correspond to the group policy settings for controlling restarts after updates in Windows 10.
| Registry key | Key type | Value |
| --- | --- | --- |
| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours</br>1: enable automatic restart after updates outside of active hours |
**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
### `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate`
| Registry key | Key type | Value |
| --- | --- | --- |
| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time</br>1: enable automatic reboot after update installation at a scheduled time |
| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates</br>3: automatically download and notify for installation of updates</br>4: Automatically download and schedule installation of updates</br>5: allow the local admin to configure these settings</br>**Note:** To configure restart behavior, set this value to **4** |
| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable don't reboot if users are logged on</br>1: don't reboot after an update installation if a user is logged on</br>**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
| `ActiveHoursEnd` | `REG_DWORD` | `0-23`: Set active hours to end at a specific hour. </br>It starts with 12 AM (`0`) and ends with 11 PM (`23`). |
| `ActiveHoursStart` | `REG_DWORD` | `0-23`: Set active hours to start at a specific hour. </br>It starts with 12 AM (`0`) and ends with 11 PM (`23`.) |
| `SetActiveHours` | `REG_DWORD` | `0`: Disable automatic restart after updates outside of active hours. </br>`1`: Enable automatic restart after updates outside of active hours. |
### `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU`
| Registry key | Key type | Value |
| --- | --- | --- |
| `AlwaysAutoRebootAtScheduledTime` | `REG_DWORD` | `0`: Disable automatic restart after update installation at the scheduled time. </br>`1`: Enable automatic restart after update installation at a scheduled time. |
| `AlwaysAutoRebootAtScheduledTimeMinutes` | `REG_DWORD` | `15-180`: Set automatic restart to occur after the specified number of minutes. |
| `AUOptions` | `REG_DWORD` | `2`: Notify for download and notify for installation of updates. </br>`3`: Automatically download and notify for installation of updates. </br>`4`: Automatically download and schedule installation of updates. </br>`5`: Allow the local administrator to configure these settings. </br>**Note:** To configure restart behavior, set this value to `4`. |
| `NoAutoRebootWithLoggedOnUsers` | `REG_DWORD` | `0`: If users are signed in, automatically restart ("disable don't reboot"). </br>`1`: If a user is signed in, don't restart after an update installation. </br>**Note:** If disabled (`0`), Automatic Updates notifies the user that the computer is scheduled to automatically restart in five minutes to complete the installation. |
| `ScheduledInstallTime` | `REG_DWORD` | `0-23`: Schedule update installation time to a specific hour. </br>It starts with 12 AM (`0`) and ends with 11 PM (`23`). |
There are three different registry combinations for controlling restart behavior:
- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, and **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
- To set active hours:
- `SetActiveHours` should be `1`.
- Then to define the time range, use `ActiveHoursStart` and `ActiveHoursEnd`.
- To schedule a specific installation and restart time:
- `AUOptions` should be `4`.
- `ScheduledInstallTime` should specify the installation time.
- Set `AlwaysAutoRebootAtScheduledTime` to `1`.
- `AlwaysAutoRebootAtScheduledTimeMinutes` should specify the number of minutes to wait before restarting.
- To delay restarting if a user is signed in:
- `AUOptions` should be `4`.
- Set `NoAutoRebootWithLoggedOnUsers` to `1`.
## More resources
- [Overview of Windows as a service](waas-overview.md)
- [Configure Delivery Optimization for Windows updates](../do/waas-delivery-optimization.md)
- [Configure BranchCache for Windows updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
- [Walkthrough: use group policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Manage Windows software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)

2
windows/deployment/update/waas-servicing-channels-windows-10-updates.md
View File

@ -3,7 +3,7 @@ title: Assign devices to servicing channels for updates
description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
View File

@ -3,7 +3,7 @@ title: Prepare a servicing strategy for Windows client updates
description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz

10
windows/deployment/update/waas-wu-settings.md
View File

@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 09/03/2024
ms.date: 12/27/2024
---
# Manage additional Windows Update settings
@ -213,6 +213,12 @@ To do this, follow these steps:
* **7**: Notify for install and notify for restart. (Windows Server 2016 and later only)
* ScheduledInstallEveryWeek (REG_DWORD):
* **0**: Do not enforce a once-per-week scheduled installation
* **1**: Enforce automatic installations once a week on the specified day and time. (Requires ***ScheduledInstallDay*** and ***ScheduledInstallTime*** to be set.)
* ScheduledInstallDay (REG_DWORD):
* **0**: Every day.
@ -294,7 +300,7 @@ On new devices, Windows Update doesn't begin installing background updates until
In scenarios where initial sign-in is delayed, setting the following registry values allow devices to begin background update work before a user first signs in:
- **Registry key**: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
- **Registry key**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator`
- **DWORD value name**: ScanBeforeInitialLogonAllowed
- **Value data**: 1

2
windows/deployment/update/waas-wufb-csp-mdm.md
View File

@ -3,7 +3,7 @@ title: Configure Windows Update for Business by using CSPs and MDM
description: Walk through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -4,7 +4,7 @@ description: Walk through of how to configure Windows Update for Business settin
ms.service: windows-client
ms.subservice: itpro-updates
manager: aaroncz
ms.topic: conceptual
ms.topic: how-to
author: mestew
ms.localizationpriority: medium
ms.author: mstewart

1
windows/deployment/update/windows-update-error-reference.md
View File

@ -257,6 +257,7 @@ The PnP enumerated device is removed from the System Spec because one of the har
| Error code | Message | Description |
|------------|-----------------------------------|--------------------------------------------------------------|
| `0x80070020` | `InstallFileLocked`| Couldn't access the file because it is already in use. This can occur when the installer tries to replace a file that an antivirus, antimalware or backup program is currently scanning. |
| `0x80240001` | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service.
| `0x80240002` | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded.
| `0x80240003` | `WU_E_UNKNOWN_ID` | An ID can't be found.

2
windows/deployment/update/windows-update-overview.md
View File

@ -3,7 +3,7 @@ title: Get started with Windows Update
description: An overview of learning resources for Windows Update, including documents on architecture, log files, and common errors.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: get-started
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/windows-update-security.md
View File

@ -4,7 +4,7 @@ manager: aaroncz
description: Overview of the security for Windows Update including security for the metadata exchange and content download.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
appliesto:

6
windows/deployment/update/wufb-compliancedeadlines.md
View File

@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business
description: This article contains information on how to enforce compliance deadlines using Windows Update for Business.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
@ -37,7 +37,7 @@ With a current version, it's best to use the new policy introduced in June 2019
| Policy | Location | Quality updates deadline in days | Quality updates grace period in days | Feature updates deadline in days | Feature updates grace period in days |
|-|-|-|-|-|-|
| Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 2 | 2 | 7 |
| Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 2 | 3 | 2 | 3 |
When **Specify deadlines for automatic updates and restarts** is set:
@ -60,7 +60,7 @@ The grace period for both quality and feature updates starts its countdown from
|Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
|-|-|-|-|-|
|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 2 | 7 | 2 |
|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 2 | 2 | 3 |
When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and later):

2
windows/deployment/update/wufb-reports-admin-center.md
View File

@ -5,7 +5,7 @@ manager: aaroncz
description: Microsoft admin center populates Windows Update for Business reports data into the software updates page.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
ms.localizationpriority: medium

2
windows/deployment/update/wufb-reports-configuration-intune.md
View File

@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports
description: How to configure devices to use Windows Update for Business reports from Microsoft Intune.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/wufb-reports-configuration-script.md
View File

@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports
description: How to get and use the Windows Update for Business reports configuration script to configure devices for Windows Update for Business reports.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz

12
windows/deployment/update/wufb-reports-do.md
View File

@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports
description: This article provides information about Delivery Optimization data in Windows Update for Business reports.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
@ -42,12 +42,12 @@ Windows Update for Business reports uses the following Delivery Optimization ter
- HTTP Only (0)
- Simple Mode (99)
- Bypass (100), deprecated in Windows 11
- **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache (MCC) out of the total amount of data downloaded.
- **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache) out of the total amount of data downloaded.
- If bandwidth savings are <= 60%, a *Warning* icon is displayed
- When bandwidth savings are <10%, an *Error* icon is displayed.
- **Configurations**: Based on the DownloadMode configuration set via MDM, Group Policy, or end-user via the user interface.
- **P2P Device Count**: The device count is the number of devices configured to use peering.
- **Microsoft Connected Cache (MCC)**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md).
- **Microsoft Connected Cache**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md).
- **MCC Device Count**: The device count is the number of devices that have received bytes from the cache server, for supported content types.
- **Total # of Devices**: The total number of devices with activity in last 28 days.
- **LAN Bytes**: Bytes delivered from LAN peers.
@ -68,7 +68,7 @@ The calculated values used in the Delivery Optimization report are listed below.
- [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table
- % P2P Efficiency = 100 * (BytesFromPeers + BytesFromGroupPeers) / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
- % MCC Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- % Connected Cache Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
**Bytes Calculations**:
@ -88,7 +88,7 @@ The calculated values used in the Delivery Optimization report are listed below.
- Volume by P2P = BytesFromPeers + BytesFromGroupPeers
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
- Volume by MCC = BytesFromCache
- Volume by Connected Cache = BytesFromCache
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
- Volume by CDN = BytesFrom CDN
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
@ -150,7 +150,7 @@ DeviceCount = count_distinct(GlobalDeviceId) by GroupID | top 10 by DeviceCount
### Delivery Optimization Supported Content Types
There are many Microsoft [content types](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization) that are supported by Delivery Optimization. All of these content types show up in the 'Content Distribution' section in the Delivery Optimization report. See the [complete table](waas-delivery-optimization.md#windows-client) for P2P/MCC support types.
There are many Microsoft [content types](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization) that are supported by Delivery Optimization. All of these content types show up in the 'Content Distribution' section in the Delivery Optimization report. See the [complete table](waas-delivery-optimization.md#windows-client) for P2P/Connected Cache support types.
| Content Category | Content Types Included |
| --- | --- |

2
windows/deployment/update/wufb-reports-enable.md
View File

@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports
description: How to enable the Windows Update for Business reports service through the Azure portal or the Microsoft 365 admin center.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/wufb-reports-help.md
View File

@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports
description: Windows Update for Business reports support, feedback, and troubleshooting information.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: troubleshooting-general
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/wufb-reports-prerequisites.md
View File

@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports
description: List of prerequisites for enabling and using Windows Update for Business reports in your organization.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz

2
windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
View File

@ -27,7 +27,7 @@ UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records acro
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache. |
| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. |
| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. |

4
windows/deployment/update/wufb-reports-schema-ucdostatus.md
View File

@ -1,7 +1,7 @@
---
title: UCDOStatus data schema
titleSuffix: Windows Update for Business reports
description: UCDOStatus schema for Windows Update for Business reports. UCDOStatus provides information, for a single device, on its DO and MCC bandwidth utilization.
description: UCDOStatus schema for Windows Update for Business reports. UCDOStatus provides information, for a single device, on its DO and Microsoft Connected Cache bandwidth utilization.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: reference
@ -27,7 +27,7 @@ UCDOStatus provides information, for a single device, on its bandwidth utilizati
| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
| **BWOptPercent7Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 7-day basis.|
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache. |
| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. |
| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. |

2
windows/deployment/update/wufb-reports-use.md
View File

@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports
description: How to use the Windows Update for Business reports data for custom solutions using tools like Azure Monitor Logs.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz

9
windows/deployment/update/wufb-reports-workbook.md
View File

@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports
description: How to use the Windows Update for Business reports workbook from the Azure portal.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz
@ -159,7 +159,8 @@ Just like the [**Quality updates**](#quality-updates-tab) and [**Feature updates
The **Update status** group for driver updates contains the following items:
- **Update states for all driver updates**: Chart containing the number of devices in a specific state, such as installing, for driver updates.
- **Update states for all driver updates**: Chart containing the number of driver updates in a specific state, such as installing.
- **Distribution of Driver Classes**: Chart containing the number of drivers in a specific class.
- **Update alerts for all driver updates**: Chart containing the count of active errors and warnings for driver updates.
@ -180,8 +181,8 @@ The **Delivery Optimization** tab provides a summarized view of bandwidth effici
At the top of the report, tiles display the following information:
- Total bandwidth savings percentage
- The percentage of the saved bandwidth broken down by peer-to-peer and MCC
- Device counts showing percentages of bytes delivered between peer-to-peer and MCC
- The percentage of the saved bandwidth broken down by peer-to-peer and Microsoft Connected Cache
- Device counts showing percentages of bytes delivered between peer-to-peer and Connected Cache
- The breakdown of total downloaded GBs.
The Delivery Optimization tab is further divided into the following groups:

8
windows/deployment/update/wufb-wsus.md
View File

@ -3,7 +3,7 @@ title: Use Windows Update for Business and Windows Server Update Services (WSUS)
description: Learn how to use Windows Update for Business and WSUS together using the new scan source policy.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz
@ -23,7 +23,7 @@ The Windows update scan source policy enables you to choose what types of update
We added the scan source policy starting with the [September 1, 2021—KB5005101 (OS Builds 19041.1202, 19042.1202, and 19043.1202) Preview](https://support.microsoft.com/help/5005101) update and it applies to Window 10, version 2004 and above and Windows 11. This policy changes the way devices determine whether to scan against a local WSUS server or Windows Update service.
> [!IMPORTANT]
> The policy **Do not allow update deferral policies to cause scans against Windows Update**, also known as Dual Scan, is no longer supported on Windows 11 and on Windows 10 it is replaced by the new Windows scan source policy and is not recommended for use. If you configure both on Windows 10, you will not get updates from Windows Update.
> The policy **Do not allow update deferral policies to cause scans against Windows Update**, also known as Dual Scan, is no longer supported on Windows 11 and on Windows 10 it's replaced by the new Windows scan source policy and isn't recommended for use. If you configure both on Windows 10, you won't get updates from Windows Update.
## About the scan source policy
@ -53,7 +53,7 @@ To help you better understand the scan source policy, see the default scan behav
> The only two relevant policies for where your updates come from are the specify scan source policy and whether or not you have configured a WSUS server. This should simplify the configuration options.
> [!NOTE]
> If you have devices configured for WSUS and do not configure the scan source policy for feature updates to come from Windows update or set any Windows Update for Business offering policies, then users who select "Check online for updates" on the Settings page may see the optional upgrade to Windows 11. We recommend configuring the scan source policy or a Windows Update for Business offering policy to prevent such.
> If you have devices configured for WSUS and don't configure the scan source policy for feature updates to come from Windows update or set any Windows Update for Business offering policies, then users who select "Check online for updates" on the Settings page may see the optional upgrade to Windows 11. We recommend configuring the scan source policy or a Windows Update for Business offering policy to prevent such.
## Configure the scan sources
@ -68,7 +68,7 @@ The policy can be configured using the following two methods:
2. Configuration Service Provider (CSP) Policies: **SetPolicyDrivenUpdateSourceFor&lt;Update Type>**:
> [!NOTE]
> - You should configure **all** of these policies if you are using CSPs.
> - You should configure **all** of these policies if you're using CSPs.
> - Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be altered.
> - If you're also using the **Specify settings for optional component installation and component repair** policy to enable content for FoDs and language packs, see [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](fod-and-lang-packs.md) to verify your policy configuration.