A question I get regularly asked is how to manage Windows 10 updates via System Center Configuration Manager. In this blog post I will explain the different options as well as the basic configuration of these options. The assumption is made that you are familiar of the ConfigMgr update deployment functionalities. Before explaining how to manage Windows 10 updates with ConfigMgr we need to make a distinction between the different update types. With the introduction of Windows 10 we can separate updates into two types:
- Quality updates: Monthly quality rollups with quality improvements on existing functionalities of Windows 10 including Security updates.
- Feature updates: two yearly release of Windows 10 with new functionalities and improvements.
More information about Windows as a service and the difference between the separate updates can be found here.
Prerequisites:
Before we can deploy these updates with ConfigMgr the right catalog need to be selected, before selecting the catalog the prerequisites need to be in-place. For ConfigMgr the prerequisite is that WSUS is installed and working correctly and before syncing and deploying feature updates as a minimum the July monthly rollup or higher (quality rollup updates are superseding) for Windows Server 2012 and 2012 r2 need to be installed. These rollups provide the capabilities of earlier updates: KB3095113, and KB3159706. After installing the quality rollup the 'wsusutil.exe postinstall /servicing' command need to be applied to enable ESD decryption. Please note when running Windows Server 2016 these updates are not needed to synchronize the upgrade classification catalog.
Initial Configuration
After installing the prerequisites, we can select the right catalog from ConfigMgr. From the ConfigMgr console: Administration -> Sites -> select the site server -> Configure site components -> Software Update Point Component properties -> tab classification here we Select:
- Updates: To sync the quality updates;
- Upgrades: To sync the catalog of feature updates.
After selecting the classification, we need to select the products:
Please note: when this is a new installation a first sync need to be accomplished before Windows 10 products are visible in the product list. A synchronization can be initiated via: ConfigMgr console -> Software Library -> Software Updates -> right click Synchronize Software Update. Synchronization can be monitored by reviewing the wsyncmgr.log.
After the initial synchronization is finished we can select the products in our case, this should be Windows 10. For selecting the products we need to go to: the Software Update Point Component Properties->tab products. Here we can select Windows 10 or make a narrowed selection to individual versions. In my case I select Windows 10 as a hole. After the selection is made and the synchronization is completed the updates should be visible in the console: ConfigMgr console -> Software Library -> all Software Updates section:
Deployment of: Quality updates.
The deployment of quality updates with SCCM can be done via the traditional way, by using Automatic deployment rules(ADR's) or manual deployments. From ConfigMgr1706 onwards there is an additional capability added to deploy Windows update for business policies. By using these policies, we can configure Windows Update for business and deferral settings. Configuring these setting can be accomplished by Group Policies and MDM settings as well. But please note that the behavior of Windows update for business is different!
- Clients will download updates from Windows update for business(online);
- SCCM is not able to report on compliancy as clients are not reporting back their compliance state;
- By configuring these Windows update for business setting we configure deferral settings for quality updates as well as feature updates.
More information about this behavior can be found here more information about the more advance options can be found here.
Deployment of Feature Updates
The feature updates of Windows 10 can be deployment in two different ways, by using:
- Windows 10 servicing functionality
- An upgrade task sequence
A question I receive regularly is which solution I should use. Both are valid solutions, but servicing does have some considerations. Currently via the service plan language packs, compatibility pre-assessment, addition of additional drivers is not possible. Long story short: A upgrade task sequence gives you more flexibility due to the flexibility of adding manual steps and customize the upgrade process.
Windows 10 servicing:
Windows 10 servicing can be configured via the servicing section in the software library. Here we can create different servicing plans for the different deployment rings which you want to introduce in your environment. We can filter on languages and limit the number of servicing updates you will download and configure the delay configuration of the selected Semi-Annual Channel(Targeted) and Semi-Annual Channel. You are basically configuring an automatic deployment rule. Based on the delay configuration and collections selected the service plan is created and can run on a schedule automatically.
Upgrade task sequence
The upgrade task sequence is a separate task sequence option which can be created from the software library –> operating system –> task sequence section. Before creating this task sequence, we need to add the operating system upgrade package to the software library. For a normal task sequence, a .wim file will be used in this scenario we need to use the media of the release of Windows 10 were you want to upgrade to, in my example this is Windows 10 1709. During the upgrade task sequence a Windows 10 setup will be initiated with the appropriated commands. The power of this way of upgrading Windows 10 to a newer release, is the flexibility and possibility to customize the upgrade. To add the operating system upgrade package, we are going to: Software Library -> Operating systems -> Operating System Upgrade Packages and click on Add operating system upgrade package.
Browse to the Windows 10 media content and add them to ConfigMgr. When the Operating System Upgrade Packages is added we can create an upgrade task sequence. To create an upgrade task sequence, we are going to: Software Library -> Task Sequences -> Create Task Sequence. In the create Task Sequence Wizard we can select "Upgrade an operating system from an upgrade packages" during the wizard we can select the operating system upgrade packages and add updates or applications when needed. Eventually we end up with a task sequence with three steps where we can add additional customization when needed.
This ends up this blog post, hope this is helpful, please leave questions or comments below.