Windows 10 Patching
Microsoft Windows 10 marks several important changes for Microsoft. As the “last version of Windows” the servicing model for Windows 10 is radically different than previous Windows releases. The changes not only impact monthly patching operations but also introduce new types of Windows updates for administrators to be aware of.
The most immediately visible change is how OS updates are packaged. In previous versions of Windows, the OS updates were released as a variety of packages that updated various system components. Updates were released each month and sometimes updates would require prerequisites from previous months. For the most part, these have all been replaced with monthly Cumulative and Delta updates. The Cumulative updates function like previous service packs – they contain all of the updated code from the initial release up to the date of the cumulative update and will update a system fully. A Delta update includes only the changes from the previous month and will only apply to a system that has been kept up to date. Cumulative updates can be quite large (upwards of 1gb) so you may prefer to deploy the delta updates (if possible). In most environments, it is advisable to deploy both so all systems can be updated.
In addition to the monthly updates, Microsoft periodically releases Servicing Stack updates. A servicing stack update updates the files and metadata for Windows Update. These updates are intended to maintain Windows Update and are required to keep a system patching reliably. While servicing stacks generally do not require a reboot some updates may not apply until after a system has rebooted after a servicing stack update. Microsoft has been inconsistent in how they label SSUs – sometimes they are assigned a severity rating and sometimes they are not.
Finally, Microsoft is providing a twice-yearly feature update to Windows 10. Feature updates are separate from security patching. Feature updates are targeted for March and September; however, Microsoft has delayed feature updates when problems are detected in testing. Because the feature updates are treated as new releases of Windows they have an end of life associated. Microsoft has information for each build of Windows 10 here: https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet but the basic gist is that feature updates are serviced for 18 months after the release date. September releases are serviced for 30 months from the release date for the Enterprise and Education editions. Microsoft also provides the Long-Term Servicing Channel for enterprises. The Long-Term Servicing Channel of Windows 10 is intended for devices where the key requirement is that features and functionality do not change over time. As such these releases are supported for 10 years; however, Microsoft removes several components that receive frequent updates meaning this release is not appropriate for many environments (the LTSC release is missing components like Microsoft Edge that may be required for a client OS). In particular, the LTSC release does generally support newly released hardware, new peripherals and may not support all new application software. The LTSC releases are intended for very specific applications – and NOT general use endpoints.
BigFix supports the delivery of all Windows 10 updates and provides reporting for unsupported versions of Windows 10. In-depth reporting about Windows 10 version and the build revision number is provided out of the box so you can always have up to date information about the Windows 10 devices in your organization.