One of the critical pieces of managing Windows 10 devices is to manage the Windows OS updates. It is important for organisations to define a policy that either automates or controls the various updates that Windows offers like the OS updates, feature updates and security patches.
Scalefusion lets the IT Admins configure the OS update policy on the managed Windows 10 devices so that they can ensure that the rollouts are controlled. Furthermore you can control which components to auto update and selectively updates others.
If you have configured updates that require your approval then, Scalefusion also offers to check updates at a device or a device group level and apply pending updates.
This document walks you through the various policies on offer around OS updates.
Configuring Windows OS Update Policy
IT Admins can configure a Windows OS update policy for the managed devices by creating a Device Profile and applying to the devices. We suggest you create a Test profile and apply them to a set of test devices to verify the behavior before you make the changes to your main device profile applied to production devices.
The policies related to OS updates are provided in Windows Device Profile. Start by creating a Windows Device Profile or Edit an existing one. Navigate to Device Profiles & Policies > Device Profiles and edit an existing profile or create a new Windows profile.
In the Device Profile, navigate to Settings > Windows Updates > Windows MDM Based Settings section to start defining the OS update policy.
To configure the Windows Update policies for all the devices to which this profile is applied, enable Configure Windows Policies. Once you enable this you can configure the various settings by clicking on the section and expanding it.
Auto Update Settings: This section helps you control the automatic updates behaviour.The options are,
Setting
Description
Active Hours Start
Configure a start time for the active hours that prevents the device from rebooting. Works in combination with end time.
Active Hours End
Configure a end time for the active hours that prevents the device from rebooting. Works in combination with the start time.
Active Hours Max Range
The max range for the active hours during which the device is not rebooted capped at 18 hours
Auto Update
Configure automatic update behaviour by selecting one of the options below,
Notify the user before downloading the update
Auto install the update and then notify the user to schedule a device restart
Auto install and restart
Auto install and restart at a specified time
Auto install and restart without end-user control
Turn off automatic updates
Automatic Maintenance Wake up
Update Notification Level
Control the Notification behaviour for updates by selecting one of the options below,
Use default Windows Update notifications
Turn off all, excluding restart warnings
Turn off all, including restart warnings
Fill Empty Content URLs
Deferral Settings: Choose how you would like to defer the OS updates by configuring these settings,The options are,
Setting
Description
Defers Feature Updates
Defers Feature Updates for the specified number of days.
Pause Feature Updates
Allows IT Admins to pause Feature Updates for up to 60 days.
Configure Deadline for Feature Updates
Allows IT admins to specify the number of days before feature updates are installed automatically. Updates and restarts will occur regardless of active hours.
Defers Quality Updates
Defers Quality Updates for the specified number of days.
Pause Quality Updates
Allows IT Admins to pause Quality Updates up to 35 days.
Configure Deadline for Quality Updates
Allows IT admins to specify the number of days before quality updates are installed automatically. Updates and restarts will occur regardless of active hours.
Configure Deadline for Grace Period
Add grace period to the deadlines for quality and feature updates before the device restarts automatically.
Configure Deadline for No Auto Reboot
If enabled then devices will not automatically restart outside of active hours until the deadline for feature and/or quality updates are reached, even if applicable updates are already installed and pending a restart.
Feature Update Uninstall Period
Enable IT admin to configure feature update uninstall period.
Scheduling Settings: Configure a schedule for OS updates to be installed,The options are,
Setting
Description
Schedule Install Day
Configure if you want to install updates everyday or a specific day.
Schedule Install Week
Configure if you want to install updates every week or a specific week of the month.
Schedule Install Time
Enables the IT admin to schedule the time of the update installation.
Administration & Network Settings: In this section configure the updates that should be automated and the ones that should be blocked.The options are,
Setting
Description
Require Update Approval
Enable this to configure which updates should be automatically applied and which would require IT Admins approval.
NOTE: Once this policy is applied to a device, it cannot be reverted and the IT Admin has to apply the pending updates from Scalefusion Dashboard or locally on the device.
From the list, select the components that will be automatically updated. Any item that is not checked will not be updated automatically and the IT Admin would have to install them from Scalefusion Dashboard or locally on the device.
Application
Connectors
Critical Updates
Definition Updates
Developer Kits
Feature Packs
Guidance
Security Updates
Service Packs
Tools
Update Rollups
General
Disable UI/UX to Pause Windows Update
When this policy is enabled, the user cannot access the "Pause updates" feature.
Disable UI/UX to Scan Windows Update
When this policy is enabled, the user cannot access the Windows Update scan, download, and install features.
Allow Auto Update over Metered Network
Allow updates to be downloaded over a metered network connections.
Scanning: In this section configure the scan frequency for updates.The options are,
Settings
Description
Detection Frequency
Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
Disable Dual Scan
Do not allow update deferral policies to cause scans against Windows Update. With the policy enabled, those scans are prevented, and the deferral policies work as expected.
Restart and Notification: Configure the device restart and notification settings in this section.The options are,
Setting
Description
Engaged Restart Deadline(Quality Updates)
Specifies the deadline for Quality Updates in days before automatically scheduling and executing a pending restart outside of active hours.
Engaged Restart Deadline(Feature Updates)
Specifies the deadline for Feature Updates in days before automatically scheduling and executing a pending restart outside of active hours.
Engaged Restart Snooze Schedule(Quality Updates)
For Quality updates, specify the number of days the user can snooze the restart notification.
Engaged Restart Snooze Schedule(Feature Updates)
For Feature updates, specify the number of days the user can snooze the restart notification.
For Feature updates, specify the timing before transitioning from Auto restarts scheduled outside of active hours to a user initiated restart.
Auto Restart Deadline Period(Quality Updates)
For Quality updates, enforce a deadline in days before automatically executing a scheduled restart outside of active hours.
Auto Restart Deadline Period(Feature Updates)
For Feature updates, enforce a deadline in days before automatically executing a scheduled restart outside of active hours.
Schedule Imminent Restart Warning
Specify the period for auto-restart imminent warning notifications.
Schedule Restart Warning
Specify the period for auto-restart warning reminder notifications.
Auto Restart Notification Schedule
Specify the period for auto-restart warning reminder notifications.
Auto Restart Required Notification Dismissal
Specify the method by which the auto-restart required notification is dismissed either automatically or by user.
Disable Auto Restart Notification
Enable this to disable auto-restart notifications for update installations.
Set Cart Restart
Enable this to skip all restart checks and ensure that the reboot will happen at Scheduled Install Time as per Scheduling Settings section.
Delivery Optimization: Configure settings that optimize OS update delivery in a network of devices and configure caching policies.The options are,
Setting
Description
Download Mode
Specifies the download method for downloads of Windows Updates, Apps and App updates.
HTTP only, no peering
HTTP blended with peering behind the same NAT
HTTP blended with peering across a private group
HTTP blended with Internet peering
Simple download mode with no peering
Bypass mode(Use BITS instead of Bypass mode)
Allow VPN Peer Caching
Allow device to participate in Peer Caching while connected via VPN to the domain network
Min File Size To Cache
Specify the minimum content file size in MB enabled to use Peer Caching
Min RAM Allowed To Peer
Specify the minimum RAM size in GB required to use Peer Caching
Min Disk Size Allowed To Peer
Specify the minimum RAM size in GB required to use Peer Caching
Min Battery Percentage Allowed To Upload Data
Specify the minimum battery required for the device to upload data to LAN and Group peers. The value 0 (zero) means 'not limited'
Modify Cache Drive
Specify the drive that Delivery Optimization should use for its cache.
Select Source of GroupID
Restrict peer selection to the selected source:
AD Site
Authenticated Domain SID
DHCP User Option
DNS Suffix
AAD
Minimum Download Speed for Background Downloads
Specify minimum download QoS(Quality of Service or speed) in KiloBytes/sec for background downloads
Max Cache Age
Specify maximum time in seconds that each file is held in cache after downloading.
Max Cache Size
Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size.
Absolute Max Cache Size(GB)
Specify maximum size in GB of Delivery Optimization cache(It overrides Max Cache Size policy).
Monthly Upload Data Cap(GB)
Specify maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in a calendar month.
Max Download Bandwidth(KB/s)
Specify maximum download bandwidth in KiloBytes/second that device can use across all concurrent download activities using Delivery Optimization.
Max Upload Bandwidth(KB/s)
Specify maximum upload bandwidth in KiloBytes/second that device can use across all concurrent upload activities.
Percentage Max Background Bandwidth
Specify the max background download b/w that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
Percentage Max Foreground Bandwidth
Specify the max foreground download b/w that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
Once you have configured the OS Update policy, save the Device Profile and apply it to the device where you want these changes to take effect.
Managing OS Updates at Group or Device Level
Basing on your OS update policy there might be some updates that you can manage at a device level. Only the items that were not selected under the Require Update Approval setting in Administration & Network settings section can be controlled at a device level. Scalefusion can query for only these items and list of updates gets updated at a device level.
Here we see how we can check and initiate update at a Group and Device level.
NOTE: Please note that only the updates that Requires Admin approval as per OS update policy will be shown here.
Viewing & Initiating update at Device Group Level
Navigate to the Device Group section and click on the group where you want to check for updates.
Navigate to Devices tab, click on Actions drop-down and click on View Updates in front of Windows 10 & above,
If any of the devices have updates available then you would see the screen below,
Title: The name of the update as returned by the OS. If no name is returned then it is displayed as Unidentified Update
Update Type: The type of the update
Status: The current status of the update which is either, Pending, Approved and Installed
Devices: The number of devices in this group where this is available. Clicking on the count of devices shows you the devices where it is available.
Additional Options
Sync Install Status: Sends a query to all devices to retrieve the install status. Please close and reopen the dialog for the latest status to be displayed.
Sync Available Updates: Sends a query to all devices to retrieve the available updates. Please close and reopen the dialog for the latest results to be displayed.
Select the updates that you want to rollout and click on UPDATE to start the updates on the device. Once you have pushed the updates the status will change to Approved.
NOTE: By clicking on UPDATE you are accepting the EULA agreement. Due to some technical issues with the MDM protocol the content of the EULA
Viewing & Initiating update at Device Level
Navigate to the Devices section and click on the Windows 10 devices for which you want to view the available updates.
Once in the Device details view, click on the View Updates button to view the updates
Select the updates that you want to install on this particular device and click on Update
NOTE: By clicking on UPDATE you are accepting the EULA agreement. Due to some technical issues with the MDM protocol the content of the EULA
