When Windows 10 released in 2015, it not only introduced a new operating system, it also changed the way Windows would be updated going forward because who doesn’t love change? Right? Anyone? Instead of big OS releases packed with a new look and tons of new features, Microsoft has instead given us feature updates.
Feature updates are Microsoft’s alternative to new OS releases every few years. Feature updates are technically new versions of the Windows operating system. These updates include new features, security improvements, visual differences, and more. Feature updates are released twice a year, usually in the spring and fall.
Quality updates are different from feature updates. Quality updates are the standard updates released once a month on the second Tuesday of the month, better known as Patch Tuesday. These updates include things such as bug fixes, patches for security vulnerabilities, and system stability improvements. Unlike feature updates, quality updates do not introduce new features or significant changes to the OS. With this in mind, it’s easy to see why we need a different approach to managing feature updates versus quality updates. Since quality updates don’t introduce significant changes to the OS, less testing is required to ensure system compatibility. On the other hand, you may want to postpone feature update installations or even skip specific feature updates all together depending on your environment.
Before we dive into WSUS, I recommend having a patch management policy in place. I know, I know, nobody likes the “p” word, but it’s best to have this information available so you can refer to it while configuring WSUS. It should provide guidance on whether feature update installations need to be postponed for a length of time or skipped altogether on more sensitive or mission-critical equipment. If you don’t have a patch management policy in place or if it doesn’t cover feature updates, get together with your team and put something together. Since feature updates are new operating system versions, special care should be taken with deployments.
If I didn’t scare you off by talking about policies, then before we begin, make sure you are using a version of WSUS that supports deploying Windows 10 feature updates. Here are the supported versions of WSUS:
WSUS 10.0.17763 (Windows Server 2019 role)
WSUS 10.0.14393 (Windows Server 2016 role)
WSUS 6.3 (Windows Server 2012 R2 role, requires KB 3095113 or 3159706)
WSUS 6.2 (Windows Server 2012 role, requires KB 3095113 or 3159706)
*NOTE: KB 3095113 & KB 3159706 are included in the security monthly quality rollup update as of July 2017. If you don’t see these updates as installed, it may be because they were installed with the rollup.
With WSUS open, the first thing we want to do is create a few groups to help organize our deployments. I like to break up my feature update deployments into three groups, preview, broad, and critical. The preview group is a small set of computers that will evaluate new feature updates. The broad group is where the majority of the workstations will reside. This group will receive the feature update once the preview group has thoroughly tested the update. The critical group is for devices that are vital to maintaining operations. This group will be the last to receive a feature update and may skip specific feature updates altogether to ensure system compatibility. To create a group, expand Computers, right-click on All Computers and click Add Computer Group.
Name your group and click Add. Repeat this process for the remaining groups.
With our groups created, we need to assign our computers to their appropriate groups. Click on All Computers to view the full list of computers in WSUS. To add a computer to a group, right-click on a device, and select Change Membership. This will bring up the list of groups we created. Select the desired group and click OK.
If you have a substantial amount of computers in WSUS, there are few things you can do to help this process go quicker. First, you can highlight multiple computers at once as you normally would with the SHIFT and CTRL keys. Another suggestion is to use the Search option located in the Action pane on the right side of the window. Lastly, a Group By option is also found in the Actions pane, which allows you to group your devices by operating system, version, server, make, model, firmware, and mobile operator.
Configuring Auto Approval For The Preview Group
With our workstations assigned to their appropriate groups, we’ll configure the preview group to approve feature updates for installation automatically.
Click on the Options menu item in the menu tree
Click Automatic Approvals
Click New Rule in the Automatic Approvals windows under the Update Rules tab
In the Add Rule window, select When an update is in a specific classification, When an update is in a specific product, and Set a deadline for the approval
In the Edit the properties, click any classification
Unselect all classification types except for Upgrades and click OK
Click any product
Unselect everything except for Windows 10 and click OK
Click on all computers
Select the Preview group and make sure no other groups are selected, and click OK
We’ll leave the deadline set at its default, which is seven days after the approval at 3:00 AM
Name your rule and click OK
Click OK in the Automatic Approvals window
Feature updates will now be automatically approved for installation for the Preview group. Since we postpone deploying feature updates for our Broad and Critical groups, these updates will need to be manually approved. Refer back to your patch management policy to determine how long you will postpone an update before deploying it.
So your preview group has finished testing all the new features released in the latest version of Windows, and you’re feeling brave enough to deploy it to your Broad group. Or, maybe you had a dream about Shia LaBeouf yelling at you to just do it. Either way, great! Let’s start by creating a view in WSUS that contains only the updates we want to see.
Click Updates in the menu tree on the left in WSUS
Click New Update View in the action pane on the right
Select Updates are in a specific classification, and Updates are for a specific product
Click any classification and uncheck all options except for Upgrades and click OK
Click any product and uncheck all option except for Windows 10 and click OK
Specify a name for the view and click OK
With our new view created, all that’s left to do is deploy the update.
Click on the newly created update view in the menu tree on the left
Right-click on the update you want to deploy and click Approve
Click the down arrow next to the Broad group and click Approved for Install
Click on the drop-down next to Broad once again and select Deadline > One Week
Click OK, and the Approval Progress window should appear with the results
Managing updates, in general, is not on my favorite things-to-do list. It lands right below watching Spider-Man 3 and right above picking up the presents my dog leaves for me in the backyard. That’s why I try to make updating Windows as simple as possible. If you don’t already use PDQ Deploy for managing your Windows quality updates, watch Lex demonstrate how easy it is in this quick video tutorial.