Managing updates In Windows 10

In Windows 10, the Windows Update service delivers security fixes, performance and reliability improvements, and updated device drivers, just as its predecessors have done for two decades. But Windows 10 also assigns a crucial new role to this core feature. In the “Windows as a Service” model, Windows Update delivers regular upgrades to Windows 10, with new and improved features alongside the bug fixes.
If you’re accustomed to using Windows Update in earlier versions of Windows, you might be startled by one major change in Windows 10. Whereas Windows 7 and Windows 8.1 users were offered a menu of updates periodically and could pick and choose which updates they wanted to install, Windows 10 bundles all its available updates into cumulative updates. A cumulative update includes all fixes that Microsoft has previously released. When you install the update, the system downloads and applies only those updates you have not previously installed. This major change in the servicing model for Windows requires a change in thinking for traditionalists who no longer have the option to sort through updates at their leisure, accepting some, delaying others, and rejecting still others.
The second major change in the “Windows as a Service” model is that updates are installed automatically. Most newly discovered vulnerabilities in Windows are patched quickly—usually before they become widespread problems. In fact, many of the worst security incidents in recent years have attacked vulnerabilities that had been patched months or years earlier. The victims tended to be those who failed to keep their Windows PCs properly updated. With Windows 10, Microsoft has taken additional steps to ensure that more systems are updated automatically. In this chapter, we discuss how Windows Update works, with a special emphasis on how administrators can manage updates effectively on PCs running Windows 10 Pro and Enterprise editions. First, though, we begin with some details about how Microsoft’s update rules have evolved since the beginning of the Windows 10 era.

WHATʼS NEW IN WINDOWS UPDATE

Since the initial release of Windows 10 in 2015, Microsoft has made multiple changes to the way Windows Update works. These changes affect all Windows 10 editions, including PCs running Windows 10 Home as well as large-scale business deployments. This section summarizes the most important of those changes.

One of the most obvious changes, especially for those who have been working with Windows 10 since its earliest days, is the elimination of separate servicing channels for consumers and business customers. In Windows 10 versions released in 2018 and earlier, update settings included two branch readiness levels (later renamed servicing channels). As of 2019, updates for retail and OEM editions are delivered on a single schedule called the Semi-Annual Channel; all references to branches and channels have been removed from the update settings.
For those running public (not Insider) releases of Windows 10 in unmanaged environments, two additional changes, effective with version 1903, allow more control over when updates are installed. Users can pause all updates, including pending reliability and security fixes, for up to 35 days (applied in seven-day increments), even on PCs running Windows 10 Home. In addition, feature updates are no longer mandatory packages but instead appear as optional updates.
Finally, Microsoft has formalized the support life cycle for its twice-yearly feature updates. The H1 release (typically completed in March or April) is supported with security and reliability updates for 18 months for all editions; the H2 (September/October) release is also supported for 18 months on Windows 10 Home or Pro, but administrators managing Enterprise and Education editions get a 30-month support cycle for the H2 release. Administrators can defer feature updates until the support life cycle of the currently installed version runs out. We discuss both of these new options in “Deferring and delaying updates,” later in this chapter.

AN OVERVIEW OF HOW WINDOWS 10 UPDATE WORKS

Windows Update runs as a service that is set to start as needed; its associated services, including the Background Intelligent Transfer Service (BITS), also run automatically, with little or no attention required from you other than an occasional restart. We strongly suggest checking in at regular intervals to confirm that updates are being delivered as expected and that the various Windows Update services are working properly. To do this, go to Settings > Update & Security > Windows Update. Figure 5-1 shows what you’ll see if Windows has pending updates available.

Figure 5-1 When updates are available, you can view their installation status on this page. If a restart is required, you’ll see an option to restart immediately or schedule a more convenient time.
The text below the Windows Update heading tells you whether your system was up to date as of the most recent check. If updates are ready to install, you can do so immediately. For updates that require a restart, you can take advantage of the scheduling options we describe later in this chapter. (See “Choosing when updates are installed.”)
Windows Update checks daily to see whether new updates are available, so you don’t ordinarily need to use the Check For Updates button. If you’re preparing for travel, you might want to make a manual check before your departure to avoid having to deal with pending updates while on the road.

What you get from Windows Update

In earlier versions of Windows, security updates and reliability fixes were offered as an ever-growing collection of individual updates, with feature improvements reserved for major version upgrades that typically required payment. This approach meant you could pick and choose which updates to install. But it also meant you were sometimes faced with installing scores of updates (and performing multiple reboots), especially when updating a device that hadn’t been used for a few months. That pick-and-choose-your-updates approach changes dramatically with Windows 10. When you check for new updates in Windows 10, even on a device that hasn’t been updated in many months, you are likely to see, at most, only a handful of updates. These updates fall into the following categories.

Quality updates

Windows 10 receives so-called quality updates, which fix security and reliability issues, in cumulative packages targeted at each Windows 10 version. (This category includes the fixes delivered like clockwork on the second Tuesday of each month, also known colloquially as Patch Tuesday or, more formally, Update Tuesday.) They are version specific, with separate updates available depending on the currently installed Windows version— 2004 or 1909, for example. Each newly released cumulative update supersedes all previous updates for that version. When you install the latest cumulative update, it applies the most recent revision of all quality updates that apply to your Windows 10 version.
Separate quality updates, which are not part of the cumulative packages, address security issues in the Adobe Flash code that is part of Microsoft Edge and Internet Explorer.
Beginning in February 2019, Microsoft changed the format of cumulative quality update packages to make them smaller, redistributable, and easier to manage. Details are in this post on the Windows IT Pro blog: https://bit.ly/update-changes-2019.

Feature updates

Feature updates are the equivalent of major version upgrades. They are released twice yearly, with code typically finalized in March and September and the actual updates publicly released a month or two later. Because these updates are much larger than quality updates and take significantly longer to install, they have their own set of management options.

Servicing stack updates

The servicing stack is the code that installs operating system updates to Windows. It also includes the component-based servicing stack (CBS), which powers several Windows-based deployment features, including the Deployment Image Servicing and Management command-line tool (DISM.exe); the System Integrity Check and Repair tool (Sfc.exe), a direct descendant of the Windows XP-era System File Checker tool; and the Windows Features tool (OptionalFeatures.exe).
Servicing stack updates are delivered on an as-needed basis (typically not every month) and include reliability and security fixes. They are version specific, with separate servicing stack updates available depending on the currently installed Windows version. They are typically delivered along with, but separate from, the cumulative quality updates in a given month.
If you are manually installing updates from the Microsoft Update Catalog as part of setting up a new Windows 10 installation, Microsoft recommends installing the most recent servicing stack update before downloading the latest cumulative update. Manually installing the most recent servicing stack update is also a recommended step for troubleshooting Windows Update problems.

Driver updates

Microsoft delivers some device drivers and firmware updates through Windows Update. All Microsoft Surface devices, for example, receive hardware-related updates through this channel. Windows Update provides some third-party drivers to complete setup for devices that are not available in the Windows installation package as well as occasional replacements for installed device drivers that have been deemed to be the source of significant reliability issues.
Windows Defender Antivirus definitions
Windows Defender Antivirus has its own update mechanism that periodically downloads definition updates (sometimes called signature files). If you manually check Windows Update, it will download and install any available definition updates that have been released since the most recent Windows Defender check.

Microso Malicious Soware Removal Tool

The Malicious Software Removal Tool (MSRT) is typically delivered monthly, on Update Tuesday. Its purpose is to detect and remove prevalent malware from Windows computers; it is not a substitute for the comprehensive antimalware code included as part of Windows Defender. MSRT runs automatically in the background; if it detects and removes any threats, it generates a log file and saves it as %windir%\debug\mrt.log.
Finding technical information about updates
The information that appears in the list of available updates and in your update history is brief and often less than informative. Why, exactly, are you being offered a particular update? Which reliability and security issues, exactly, are addressed in the latest quality update?
For the answers, prepare to do some clicking. Start with Settings > Update & Security > Windows Update > View Update History. That opens a categorized list of all updates installed since the most recent feature update, similar to the one shown in Figure 5-2.

Figure 5-2 The update history list starts fresh after you successfully install a new feature update. Click any hyperlink to see additional details about a quality update.
Each cumulative update listed under the Quality Updates heading includes a descriptive title and the number associated with a related Knowledge Base (KB) article.
Clicking the update title opens that KB article, which in turn typically contains a list of key changes—security updates and quality improvements that are new in that cumulative update, along with a listing of any known issues for the update. It also includes a link to the Microsoft Update Catalog, where you can download a standalone package that allows you to install the updates manually. A File Information section provides a link to a list of files and version information associated with the update (in CSV format).
For cumulative updates that include security content, the associated KB article typically does not include detailed information about those fixes. That’s a noteworthy change from Microsoft’s previous update documentation policy.
Previously, Microsoft issued a monthly security summary on the second Tuesday of each month, with links to individual security bulletins that contained details about a security issue, including an executive summary, a severity rating, and a list of affected software. Microsoft stopped issuing those bulletins in March 2017, and as of April 2017 this information is available in a searchable database called the Security Update Guide: https://portal.msrc.microsoft.com/en-us/securityguidance
The Security Update Guide includes listings for all Microsoft products. To see only the most recent updates, use the filters on the guide’s home page to specify a date, and then use additional filters to refine the results further. For example, you can choose a specific version (such as Windows 10 version 1909) and specify a security rating (such as Critical) to show only Critical updates for that version during the specified range of dates. You can also search by the industry standard identifier for a security issue, using the Common Vulnerabilities and Exposures (CVE) database, or enter a KB number.
Security updates that are included with a cumulative update get their own release notes, which are linked from the Security Update Guide. These release notes are not associated with a KB number.
Every cumulative update, complete with KB number and minor build number, is also listed on the Windows 10 Update History page. That index is categorized by version; updates for version 1909, for example, are at https://support.microsoft.com/help/4529964.
Every update listing also links to the associated page in the Microsoft Update Catalog. There, you can find download links for standalone update packages as well as further details about the updates.
Security updates include a rating of the threat’s severity. These are the four ratings that are used, listed in order of severity (with the most severe first):

Critical A critical vulnerability can lead to code execution with no user interaction.
Important An important vulnerability is one that can be exploited to compromise the confidentiality or integrity of your data or to cause a denial-of-service attack.
Moderate A moderate vulnerability is one that’s usually mitigated by default settings and authentication requirements. In other words, you’d have to go a bit out of your way for one of these to damage your system or your data.
Low A vulnerability identified as low usually requires extensive interaction or an unusual configuration to cause damage.

For vulnerabilities with a rating of Critical or Important, Microsoft provides an Exploitability Index that estimates the likelihood that a vulnerability addressed in a security update will be exploited. This information is intended to help Windows administrators prioritize their deployment of updates.
The Exploitability Index includes four values:

0 – Exploitation Detected The vulnerability is actively being exploited.
1 – Exploitation More Likely There is a strong likelihood that attackers could consistently exploit this vulnerability, making it an attractive target.
2 – Exploitation Less Likely Attackers would have difficulty creating exploit code, making it a less attractive target.
3 – Exploitation Unlikely Successfully functioning exploit code is unlikely to be utilized in real attacks, and the full impact of exploitation is likely to be limited.

MANAGING WINDOWS UPDATE

Almost all the tools for managing updates have migrated from the old-style Control Panel to the modern Settings app. In this section, we discuss options that are available in every edition, including Windows 10 Home.

Choosing when updates are installed

If Windows needs to restart your system to complete the installation of an update, you have the option to restart immediately or specify a time when you want the system to restart. If you do neither of these things, Windows Update will restart at a time outside your designated active hours. To set your normal working hours, click Change Active Hours on the main Windows Update page.
There, you can choose to allow Windows to automatically adjust the allowable update times based on its observations of your activity. Or, if you prefer, leave that option off, click Change, and set the active hours manually using this dialog box:

The allowable range for prohibiting automatic restarts was increased in version 1703 from 12 to 18 hours. This change should be welcome news to those who work long or variable hours. But even if you’re working outside your designated active hours, Windows will not restart your system without notification. If Windows requires a restart to install one or more updates, you receive a notification in Action Center and on the main Windows Update page, shown earlier in Figure 5-1.
Restarting immediately, by clicking Restart Now, may be the ideal option if you know you’re going to be away from the PC for a meeting or lunch break that will last longer than the few minutes it takes to install a batch of updates. (But watch out for feature updates, which are equivalent to full upgrades and might take as much as an hour or even longer, depending on your hardware.) Save your existing work, close any open files, and then click Restart Now. Be sure to wait for all open apps to close before you head out the door. It’s annoying (and a big drag on productivity) to come back from a meeting and discover that the restart hasn’t taken place because a dialog box was open, waiting for your approval.
If instead you want to specify a restart time, click Schedule The Restart. You’ll see a dialog box like the one shown in Figure 5-3. Slide the switch to the On position and then pick the exact time when you want your PC to restart and begin the installation.

Figure 5-3 If you’d prefer not to have your work interrupted with a restart, even outside your Active Hours settings, enable this option and set a restart time up to one week in the future.
You cannot, of course, postpone this installation indefinitely. Your options on the Pick A Day list include Today, Tomorrow, or any date up to one week from the current day.

Choosing how updates are installed

All editions of Windows 10 include four settings that give you further control over how Windows Update works. Click Advanced Options to see these settings, as shown in Figure 5-4.

Figure 5-4 The options shown here are available in all Windows 10 editions; on devices running Pro or Enterprise editions, several additional settings are available.
If you select Receive Updates For Other Microsoft Products When You Update Windows, Windows Update expands its scope to include other Microsoft products, such as perpetual-license versions of Microsoft Office. (Microsoft 365 installations use a separate update mechanism.)
The second option, Download Updates Over Metered Connections, applies only if you have configured a metered data network connection, such as an embedded LTE modem or a wireless phone configured as a Wi-Fi hotspot. In those circumstances, Windows normally refrains from downloading updates, out of respect for what is often a pay-as-you-go data plan. Turn this switch to On if you’re comfortable that updates won’t overrun your data budget.
The final two options help control when your PC restarts to install an update. Restart This Device As Soon As Possible When A Restart Is Required To Install An Update bypasses some of the precautions against unexpected restarts when updates are ready to install. Choose Show A Notification When Your PC Requires A Restart To Finish Updating if you want one extra confirmation so that you avoid losing any work when a restart is required.
When installing an update entails a restart of your system, Windows normally requires you to sign in before the installation finishes. If you’re away from your PC while an upgrade is in progress, you might find the system waiting at the sign-in screen when you return, with additional setup tasks (and additional wait time) after you sign in. You can streamline the process by clicking Sign-in Options, scrolling to the Privacy heading, and turning on Use My Sign-In Info To Automatically Finish Setting Up My Device After An Update Or Restart.

Fine-tuning network bandwidth usage

By definition, Windows Update uses your network connection to download updates for Windows and for Store apps. You can monitor and control network usage by adjusting Delivery Optimization settings. In version 1803 and earlier, you’ll find a link to these settings near the bottom of the Advanced Options page. Beginning with version 1809, Delivery Optimization gets its own category on the Update & Security page.
These options, which have expanded significantly since the initial release of Windows 10, apply to all Windows 10 editions and allow fine-grained control over the source of updates and the amount of network bandwidth that the update service is allowed to use. You can also check your network bandwidth usage if you’re concerned that those updates are slowing down other activities.
The Delivery Optimization page, shown in Figure 5-5, allows you to share updates with other PCs. This peer-topeer feature, new in Windows 10, is particularly useful if multiple computers in your home or workgroup are likely to be downloading updates over shared bandwidth. By setting Allow Downloads From Other PCs on and choosing PCs On My Local Network, you can share updates with devices on your local network rather than requiring a connection to Microsoft’s update servers. The net effect is to reduce usage on your internet connection, which is particularly important if your service provider imposes monthly download quotas or surcharges.

Figure 5-5 Enabling this peer-to-peer option can speed up installation of large updates on a small network, reducing the demands on your internet connection.
The second option expands the range of peer updates to include PCs outside your local network. For a discussion of privacy issues and more information about the delivery optimization process, see https://bit.ly/wu-delivery-optimization.
True to its name, the Background Intelligent Transfer Service (BITS) dynamically optimizes bandwidth usage for updates that occur in the background, with the goal of doing so in a way that minimizes the impact of these transfers on other activities. If you prefer more finegrained control of bandwidth usage, click Advanced Options, near the bottom of the Delivery Optimization page. That opens the Settings page shown in Figure 5-6, which offers control over upload and download speeds as well as allowing you to define upload limits. Note that these settings were revised in Windows 10 version 2004 to provide more fine-grained control over downloads, including options to throttle the percentage of measured bandwidth used for updates.

Figure 5-6 Use these options to prevent updates from interfering with other network activity.
To adjust one of the bandwidth limits, first click its associated check box. Then select an absolute bandwidth limit or, for percentage-based limits, move the slider control left or right. The three percentage-based bandwidth options (two for downloads, one for uploads) can be set to a minimum of 5% and a maximum of 100%.
If you prefer to download updates manually and install them as soon as they’re available, you might set the Limit How Much Bandwidth Is Used For Downloading Updates In The Foreground option to its maximum.
Conversely, if you have multiple PCs on a small network with a relatively slow shared internet connection, consider setting all PCs to relatively low percentages for uploads and downloads.
The Monthly Upload Limit setting goes from a minimum of 5 GB to a maximum of 500 GB.
If you’re curious about the amount of bandwidth that all updates in total have used in the current month, click Activity Monitor (below Advanced Options on the Delivery Optimization page) to display a pair of charts like the ones shown here. The average download speeds are useful for determining whether you need to throttle speeds to avoid affecting other network traffic.

Network administrators can apply even more granular Delivery Optimization settings using Group Policy. These policies, which are available under Administrative Templates > Windows Components > Delivery Optimization, allow you to throttle bandwidth at selected times of day (for both foreground and background traffic), restrict peer selection to the same subnet, automatically join devices into peer groups by using a DHCP server’s User option (or the connection’s DNS suffix), and prioritize update sharing between peers by delaying the use of the HTTP source.

DEFERRING AND DELAYING UPDATES

The level of control that administrators have over how and when updates are installed on a device depends on which edition of Windows is installed on that device. Note that the following rules apply to public releases of Windows 10 and are not applicable to Insider Preview builds:

On devices running Windows 10 Home, all updates are delivered automatically on a schedule defined by Microsoft’s update servers. No options to defer updates are available on this edition, although you can pause updates for up to 35 days, as discussed earlier in this chapter. You don’t need to take any additional action aside from observing the occasional reminders to restart your computer and, if you choose, to schedule a restart.
On devices running Windows 10 Pro, Enterprise, and Education, the default settings are the same as those in Windows 10 Home. As an administrator, however, you can take advantage of additional options collectively known as Windows Update for Business. These controls, available as part of Group Policy, allow you to delay installation of quality updates by up to 30 days after they are initially available from Microsoft and to defer installation of feature updates by up to 365 additional days.
Organizations with a Volume License agreement for Windows have one additional option: They can choose to purchase and install Windows 10 Enterprise LTSC/LTSB, which is a part of the Long Term Servicing Channel (formerly the Long Term Servicing Branch). This edition offers 10 years of support and receives no feature updates. For more details about this edition, see “Windows 10 editions at a glance” in Appendix A.

In versions of Windows 10 before version 2004, these Windows Update for Business settings are available on the Settings > Update & Security > Windows Update > Advanced Options page, under the Choose When Updates Are Installed heading, as shown in Figure 5-7. By adjusting settings here, administrators of devices running Windows 10 Pro, Education, and Enterprise editions can defer installation of quality updates and delay offers to install feature updates. Effective with version 2004, these options have been removed from Settings and are available only via Group Policy settings, as we explain later in this section.

Figure 5-7 The Choose When Updates Are Installed settings, which allow administrators to defer quality and feature updates, have been removed as of Windows 10 version 2004.
The first option under the Choose When Updates Are Installed heading allows you to defer feature updates by an additional period of up to 365 days from the time they are made publicly available. In Figure 5-7, we’ve set a deferral of 60 days. This has the practical effect of delaying a feature update until the first two monthly cumulative updates are available. Note, however, that selecting a lengthy update period here might not have the intended effect. If the deferral period extends past the end-of-support date for the currently installed version, Windows Update will ignore the deferral period and offer the feature update with a notice that it must be installed to continue receiving quality updates.
The second option allows deferral of quality updates—the cumulative updates that include security and reliability enhancements—by up to 30 days. Selecting a deferral of 7 days, as we’ve done in Figure 5-7 above, effectively gives you a week to monitor feedback from Microsoft support channels after the regular release of updates on the second Tuesday of each month. If you discover a problem that might affect your PC, you can use the Pause Updates option to delay installation further while you either find a workaround or wait for Microsoft to resolve the issue. Both deferral settings are persistent.
If you need to pause updates for only a period of time— for example, if you plan to be traveling and don’t want to be bothered with the update process—use the Pause Updates control here. Windows Update will refrain from updating your system for up to 35 days or until you click Resume Updates.
As we noted earlier, as of Windows 10 version 2004, you must apply Windows Update for Business settings using Group Policy, either as part of a Windows domain using Active Directory or using the Local Group Policy Editor, Gpedit.msc. These policy settings are available in Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update For Business. Figure 5-8 shows an example of these policies.

Figure 5-8 Using Group Policy, you can adjust Windows Update for Business settings to defer feature updates. The options shown here defer a feature update until 60 days after Microsoft releases it to the public.
The four policies available for configuration are as follows:

Select When Preview Builds And Feature Updates Are Received Configure this policy to defer feature updates. After you enable this policy, you can select the “Windows readiness level” that corresponds to the servicing channel. For public releases, the Semi-Annual Channel option is the correct choice; this policy also allows you to choose one of three Insider Preview channels. You can then specify an amount of time to defer the update after release. This value is entered in days, with possible values ranging from 0 to 365.
Select When Quality Updates Are Received With this policy, you can defer the regular cumulative updates (which include security, reliability, and driver updates) for up to 30 days. Deferring quality updates requires a balancing act: Configuring this policy gives you an opportunity to test the latest update on a subset of PCs in your organization before deploying the update widely; that delay can also put your other machines at risk because they haven’t received potentially important security fixes.
Manage Preview Builds This policy, introduced in Windows 10 version 1709, includes the options to enable or disable preview builds, as you might expect. A third option, Disable Preview Builds Once Next Release Is Public, prevents preview builds from installing after a preview cycle ends and the corresponding feature update is released to the public.
Select The Target Feature Update Version Use this policy to define a specific feature update that you want Windows Update to offer to a device or a group of devices; use the version information as it appears on the Windows 10 Release Information page at https://aka.ms/ReleaseInformationPage. Note that Windows Update will override this policy if the specified version has reached its end-of-service date.

TROUBLESHOOTING UPDATE PROBLEMS

In our experience, Windows Update is generally reliable, but problems can and do occur. These problems fall into a handful of categories: updates that cause stability problems; updates that fail to install properly; and general problems with Windows Update.
For updates that cause problems, the first step is to remove the offending update. (For particularly nettlesome problems, this might require booting into Safe Mode.) Go to Settings > Update & Security > Windows Update. Click View Update History to display the list of installed updates (as described earlier in this chapter) and then click the unobtrusive Uninstall Updates link at the top of that page.
Doing so takes you back to the old-style Control Panel, where you’ll find an inventory of everything that Windows Update has installed for Windows itself and for other Microsoft products, as well as a smattering of updates for third-party products that register those updates with Windows. From this page, as shown in Figure 5-9, you can confirm that a particular update has been installed by referring to its KB number in the list of installed items. Some items may include a support link at the bottom of the page—this leads you to details about the selected update. The Uninstall option appears above the list when you select an update. Click that option to remove the update, but do so only as a last resort, and only when your troubleshooting leads you to suspect that a recently installed update is causing serious performance or reliability issues.

Figure 5-9 If an update is causing problems, you can select it from this list and use the Uninstall option to remove it for troubleshooting purposes.
That action (after a restart) removes the immediate problem. But because of the way Windows Update works, the unwanted item will reappear the next time Windows checks for updates. You can interrupt this cycle by pausing updates (as described in the previous section, “Deferring and delaying updates”) or by “hiding” the offending update.
To accomplish the latter task, you need to run the Show Or Hide Updates troubleshooter package, which you can download from https://support.microsoft.com/help/3073930. The troubleshooter presents a list of updates that can be hidden. Select the item that you don’t want to reinstall. The ruse is temporary, but it should give you respite until a revised update becomes available.