View Blog

Feb 2022
14

Everything you Want to Know about Managing Windows Updates (Part 3)

In my last blog segment, I used MEM to configure some policies related to Windows updates.  Let’s now see what happens behind the scenes because there is an awful lot that goes on each time a policy assigned device goes seeking updates.

In this instance, I have a policy Feature Update Deployment policy assigned to a desktop PC that currently hosts Windows 10 21H1.  Since 21H1 was released back in April of 2021, it obviously needs updating.  Let’s say I have been working remotely from home for a using my laptop and haven’t been to the office in months.   In the feature update policy, I created I chose to deploy Windows 11.  I also chose a specific time frame that it would be made available as I want to give our IT team additional time to test for Windows 11 compatibility issues concerning our application portfolio.  In this case I chose February 21, 2022, as the earliest available date.  The PC is also assigned to a business update ring that has a quality update deferral period of 7 days.

On February 11, I return to the office for a department meeting and power up the desktop.  MEM has already contacted Windows Update and provided the PCs ID and the targeted feature update to be deployed.  MEM also will deliver any new policies that have been assigned to the PC since the last time it was online.  In this case it includes the Business Update for Ring policy settings.  Next the PC will contact the cloud to seek possible updates.  In doing so, the PC informs Windows Update of any assigned deferral periods, its current OS version, and its revision status.  This entire process is outlined in the diagram below.

Let’s see what happens first regarding feature updates.  There are two feature updates available on February 11 for the PC - Windows 10 21H2 and Windows 11.  Because the targeted feature update policy dictates Windows 11, 21H2 is out of the picture.  Windows 11 would be made available if it wasn’t for the deployment period I specified which starts on February 21.  That means no feature updates for our desktop PC today.

Now let’s look at Quality updates.  Since my computer hasn’t been powered up in quite a while, its missing a lot of quality updates so it’s revision status is quite outdated.  Fortunately, quality updates are cumulative, so I don’t have to download the updates released every single month since it was last powered on.  Quality updates are released on the 2nd Tuesday of each month.  This means the most recent release date was February 8.  Because I have a deferral period of 7 days, February updates will have to wait a few more days before they are made available.  As a result, the January Quality updates will be applied to my desktop. 

I then spend the next few days using my laptop at home and return to the office on February 16.  Once again, my desktop PC checks in for Windows updates and because the deferral period is now over, February quality updates are now downloaded and installed.  Windows 11, however, will remain elusive until the 21st.  On February 23rd, I return to the office and Windows 11 is now available.  For the update to be issued, Windows Update must first determine if it is compatible or not.  This is performed automatically using Windows Update for Business.  If you have Update Compliance configured in Azure along with a Log Analytics Workspace, you can verify the compliance status of any listed device.  While the PC itself may exceed the compliancy requirements of Windows 11, the update can still be deferred due to a safeguard hold assigned by Microsoft.  Safeguard holds prevent devices with a known compatibility issue from receiving a new feature update.  For instance, an installed application on the device may have compatibility issues with Windows 11.  You can read more about safeguards here in one of my other blogs.  In this instance, there is a safeguard hold assigned to my desktop so until a fix is released for that issue it will have to wait on Windows 11 for a while.

More to it than Meets the Eye

As you can see, there are a lot of moving parts when it comes to Windows Updates for Business.  In our remaining segment, we will wrap up our discussion by looking talking about compliance deadlines, automatic restarts, and touch on Group Policy one last time. 

 

Comments (0)

No Comments!

leave us a comment

You must be logged in to MDMandGPanswers.com to make a comment.