ProHoster > Blog > Administration > The Complete Windows 10 Upgrade Guide for Businesses of Any Size

The Complete Windows 10 Upgrade Guide for Businesses of Any Size

Whether you're in charge of a single Windows 10 PC or thousands, the challenges of managing updates are the same. Your goal is to install security updates quickly, handle feature updates smartly, and prevent productivity drops due to unexpected reboots.

Does your business have a comprehensive Windows 10 update plan? It is tempting to think of these downloads as occasional nuisances that need to be dealt with as soon as they appear. However, a reactive approach to updates is a recipe for frustration and reduced productivity.

Instead, you can create a management strategy to test and implement updates so that the process becomes as routine as sending out invoices or monthly bookkeeping.

This article provides all the information you need to understand how Microsoft pushes updates to devices running Windows 10, as well as details about the tools and techniques you can use to intelligently manage these updates on devices running Windows 10 Pro, Enterprise, or Windows 10. Education. (Windows XNUMX Home only supports very basic update management and is not suitable for use in a business environment.)

But before you jump into any of these tools, you'll need a plan.

What is written in your update rules?

The purpose of the upgrade rules is to make the upgrade process predictable, to define procedures to alert users so they can schedule their work accordingly and avoid unexpected downtime. The rules also include protocols for handling unexpected problems, including rollback from failed updates.

Reasonable update rules allocate a certain amount of time to work with updates every month. In a small organization, a special window in the maintenance schedule for each PC can serve this purpose. In large organizations, universal solutions are unlikely to work anymore, and they will need to divide the entire PC population into groups of updates (in Microsoft they are called β€œrings”), each of which will have its own update strategy.

The rules should describe several different types of updates. The most understandable type is the monthly cumulative security and reliability updates, which are released on the second Tuesday of every month (β€œPatch Tuesday”). This release usually includes the Windows Malicious Software Removal Tool and may include any of the following types of updates:

  • Security Updates for .NET Framework
  • Security updates for Adobe Flash Player
  • Servicing stack updates (which must be installed from the start).

You can delay the installation of any of these updates for up to 30 days.

Depending on the PC manufacturer, hardware drivers and firmware may also be distributed through the Windows Update channel. You can choose not to do this, or you can manage them the same way you handle other updates.

Finally, feature updates are also distributed through Windows Update. These major packages update Windows 10 to the latest version and are released every six months for all editions of Windows 10 except the Long Term Servicing Channel (LTSC). You can delay the installation of feature updates using Windows Update for Business for up to 365 days; For Enterprise and Education editions, installation can be further delayed by up to 30 months.

With all this in mind, you can start compiling update rules, which should include the following elements for each of the serviced PCs:

  • Installing monthly updates. By default, Windows 10 monthly updates are downloaded and installed within 24 hours of their release on Patch Tuesday. You can delay downloading these updates for some or all PCs in your company so that you have time to test them for compatibility; this delay also allows you to avoid problems in the event that Microsoft discovers an update issue after release, as has happened so many times with Windows 10.
  • Installation period for semi-annual component updates. By default, feature updates are downloaded and installed when Microsoft believes they are ready. On a device that Microsoft has deemed eligible for an update, feature updates may take a few days to arrive after release. On other devices, feature updates may take several months to appear, or they may be blocked altogether due to compatibility issues. You can set a delay for some or all of the PCs in your organization to give yourself time to review a new release. Starting with version 1903, PC users will be offered component updates, but only the users themselves will give commands to download and install them.
  • When to allow the PC to restart to complete the installation of updates: Most updates require a restart to complete the installation. This restart occurs outside of the "active period" between 8 am and 17 pm; this setting can be changed as desired, extending the duration of the interval up to 18 hours. Management tools allow you to set a specific time for downloading and installing updates.
  • How to notify users when updates are available and restart: To avoid unpleasant surprises, Windows 10 notifies users when updates are available. The management of these notifications in Windows 10 settings is limited. Much more settings are available in "Group Policies".
  • Sometimes Microsoft releases critical security updates outside of the usual "patch Tuesday" schedule. This is usually needed to fix security flaws that are maliciously exploited by third parties. Should we speed up the application of such updates or wait for the next window in the chart?
  • What to do with failed updates: If an update fails to install correctly, or it causes problems, what will you do in this case?

Once you've identified these elements, it's time to choose the tools to handle updates.

Manual update management

In very small businesses, including single-employee stores, it's fairly easy to manually configure Windows updates. Settings > Update & Security > Windows Update. There you can adjust two groups of settings.

First, select "Change activity hours" and tweak the settings to suit your work habits. If you typically work in the evenings, you can avoid downtime by configuring these values ​​from 18 pm to midnight, causing scheduled restarts to occur in the morning.

Then select "Advanced options" and the setting "Choose when to install updates", registering it in accordance with your rules:

  • Choose how many days to delay the installation of feature updates. The maximum value is 365.
  • Choose how many days to delay the installation of quality updates, including cumulative security updates released on Patch Tuesdays. The maximum value is 30 days.

Other settings on this page control the display of restart notifications (enabled by default) and the permission to download updates on traffic-aware connections (disabled by default).

Prior to Windows 10 version 1903, there was also a channel selection setting - semi-annual, or target semi-annual. It was removed in version 1903, and in older versions it just doesn't work.

Of course, the point of delaying updates is not to simply shirk the process and then surprise users a little later. If you, for example, delay the installation of quality updates by 15 days, you should use this time to check for updates for compatibility, and schedule a maintenance window for a convenient time before this period ends.

Managing updates through Group Policies

All the mentioned manual settings can also be applied through group policies, and in the full list of policies related to Windows 10 updates, there are much more settings than those available in the usual manual settings.

They can be applied to individual PCs using the local group policy editor Gpedit.msc, or using scripts. But most often they are used in a Windows domain with Active Directory, where you can manage combinations of policies on groups of PCs.

A significant number of policies are exclusive to Windows 10. The most important ones are related to Windows Updates for Business, located in Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business.

  • Choose when to receive preview builds - channel and delays for component updates.
  • Choose when to receive quality updates - Delays for monthly cumulative updates and other security-related updates.
  • Manage preview builds: when a user can connect a machine to the Windows Insider program and define an insider ring.

An additional policy group is located in Computer Configuration > Administrative Templates > Windows Components > Windows Update, where you can:

  • Remove access to the pause updates feature, which will prevent users from interfering with installation by delaying it by 35 days.
  • Remove access to all update settings.
  • Allow automatic download of updates on connections based on traffic.
  • Do not download along with driver updates.

The following settings are only available on Windows 10 and apply to restarts and notifications:

  • Disable automatic reboot for updates during the active period.
  • Specify the active period range for automatic restart.
  • Specify the deadline for automatic restart in order to install updates (from 2 to 14 days).
  • Set up notifications to remind you about automatic restart: increase the time in which the user is warned about this (from 15 to 240 minutes).
  • Disable automatic restart notifications to install updates.
  • Configure the automatic restart notification so that it does not disappear automatically after 25 seconds.
  • Do not allow update delay policies to initiate a Windows Update scan: This policy prevents the PC from checking for updates if a delay is assigned.
  • Allow users to manage restart times and snooze notifications.
  • Set up notifications about updates (the appearance of notifications, from 4 to 24 hours), and warnings about an imminent restart (from 15 to 60 minutes).
  • Update power policy to restart recycle bin (education setting to update even when on battery power).
  • Display update notification settings: Allows you to disable update notifications.

The following policies are present in both Windows 10 and some older versions of Windows:

  • Auto Update Setting: This group of settings allows you to select a weekly, bi-weekly, or monthly update schedule, including the day of the week and time to automatically download and install updates.
  • Specify Intranet Microsoft Update Service Location: Set up a Windows Server Update Services (WSUS) server in the domain.
  • Allow client to join target group: Administrators can use Active Directory security groups to define WSUS deployment rings.
  • Do not connect to Windows Update locations on the Internet: Prevent PCs running a local update server from contacting external update servers.
  • Allow Windows Update Power Management to wake the system from sleep to install scheduled updates.
  • Always automatically restart the system at the scheduled time.
  • Do not auto-reboot if there are users running on the system.

Tools for working in large organizations (Enterprise)

Large organizations with a Windows network infrastructure can bypass Microsoft update servers and deploy updates from a local server. This requires increased attention from the corporate IT department, but adds flexibility to the company. The two most popular options are Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM).

The WSUS server is simpler. It acts as a Windows Server and provides centralized storage for Windows updates across the organization. Using Group Policies, an administrator directs a Windows 10 PC to a WSUS server that serves as the sole source of files for the entire organization. From its admin console, you can approve updates, choose when to install them on individual PCs or groups of PCs. PCs can be manually assigned to different groups, or client-side target selection can be used to deploy updates based on existing Active Directory security groups.

As Windows 10's cumulative updates grow more and more with each new release, they can take up a significant portion of your bandwidth. WSUS servers save traffic by using Express Installation Files - this requires more free space in the server, but significantly reduces the size of the update files sent to client PCs.

On servers running WSUS 4.0 and later, you can also manage Windows 10 feature updates.

The second option, System Center Configuration Manager, uses the rich Configuration Manager for Windows in conjunction with WSUS to deploy quality updates and feature updates. The Control Panel allows network administrators to monitor Windows 10 usage across the network and create group-based maintenance plans that include information for all PCs approaching the end of their support cycle.

If your organization already has Configuration Manager installed to work with earlier versions of Windows, adding Windows 10 support to it is fairly easy.

Source: habr.com

Add a comment