Management of Windows 10 Updates

With Windows 10, Microsoft has completely changed the methodology around updating and patching Windows and other Microsoft products. Instead of releasing major version of Windows every few years (example: Windows 7, Windows 8, etc.), Microsoft announced that Windows 10 will be the last major release of Windows moving to ongoing perpetual update cycles. There are two types of Windows updates:

  • Feature Updates (twice-a-year updates that deliver new features, equivalent of new versions of Windows)
    eg. May 2019 feature update upgraded Windows 10 to version 1903 (build 18362.1)
     
  • Quality Updates (monthly bug fixes and security patches)
    eg. Aug cumulative quality update for version 1903 (build 18362.10012)

See Windows 10 release information article for a detailed list of Windows 10 releases.

Feature Updates

Microsoft delivers feature updates for Windows 10 twice a year, in spring and fall. The feature update cadence has been aligned with Office 365 ProPlus updates. Both Windows and Office will receive their feature updates around March and September.

To see which version of Windows 10 is installed on your computer:

  1. Click the Start button.
  2. Click on the Settings (gear icon).
  3. Click on System.
  4. Scroll down the list on the left and click on About.
  5. Scroll down to Windows specifications section.

To see which version of MS Office is installed on your computer, please see Related Articles section on the right.

Quality Updates

Quality updates are released more frequently since they are intended to address known performance and security issues. On the second Tuesday of each month, Microsoft releases one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes.

University-owned Devices

University-owned computers with Windows 10 are joined to Azure Active Directory (AAD) are managed by I.T. Services using Microsoft Intune device management platform. Both quality updates and future updates are no longer managed by the on-premise Windows Software Update Servers (WSUS) as it was the case with AD domain joined machines. These updates are delivered directly from Microsoft.

Windows Update Rings

With Windows 10, Microsoft introduced a concept of Update Rings which is a set of configuration policies you that are assigned to groups of devices. These policies control Windows Update settings on individual devices, such as how soon should the update be installed after it is released by Microsoft, or how much control should the user have over how the update is applied. The timing of Windows updates is being determined by which Windows Update Ring the computer belongs to.

Update Ring / 
Security Group
Description

0 - Preview

zO365 - Devices - Windows Update Ring 0 - Preview

A few selected machines used by I.T. Services staff and departmental computer technicians to evaluate early builds prior to their arrival to the semi-annual channel.

User of the machine has to enroll it in Microsoft Windows Insider programme to receive updates prior to the official release date.

1 - Departmental Testing

zO365 - Devices - Windows Update Ring 1 - Testing

Designated devices across all departments and teams used to evaluate the major release prior to broad deployment.

Both feature updates and quality updates will be automatically installed as soon as they are released, unless paused by IT administrator.

Following installation, computer will be rebooted automatically during maintenance hours between 10 pm and 8 am.

2 - Campus Roll-out

zO365 - Devices - Windows Corporate Devices

Broadly deployed to most of the organization and monitored for feedback. Distribution of updates to this group can be paused if there are critical issues. By default, all corporate devices are included in this ring, unless they are added to one of the other three groups.

Feature updates will be automatically installed one month after their release date, unless paused by IT administrator.

Quality updates  will be automatically installed two weeks after their release date, unless paused by IT administrator.

Following installation, computer will reboot automatically during maintenance hours between 10 pm and 8 am.

3 - Deferred Roll-out

zO365 - Devices - Windows Update Ring 3 - Deferred Roll-out

Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization.

Feature updates will be automatically installed six months after their release date, unless paused by IT administrator.

Quality updates  will be automatically installed one month after their release date (maximum allowed by Microsoft).

Following installation, computer will reboot automatically during maintenance hours between 10 pm and 8 am.

   

If a problem is discovered while deploying a feature or quality update, the IT administrator can pause the update to prevent other devices from installing it until the issue is mitigated.

Vast majority of devices belong to "Roll-out" ring and should not be moved to "Deferred Roll-out" unless there is a specific valid reason for it.

Personal Devices (BYOD)

I.T Services does not manage Windows Update settings on personal Windows 10 computers that are being used to access University systems (BYOD). However, such devices must have most recent or one prior to most recent feature update installed, as well as most recent quality update installed in order to be deemed as compliant. Non-compliant devices will be denied access to certain sensitive systems and resources.

Details

Article ID: 60696
Created
Sat 8/18/18 10:43 AM
Modified
Mon 8/26/19 9:46 PM