Windows 10 Updates – Safer, Simpler, and User Friendly
“With Windows 10, Microsoft moved to a new update model in 2015 and this has proven to be far superior”
I still remember the days of building a brand new Windows XP machine, connecting it to the internet and the machine being instantly infected with the Sasser worm before even getting a chance of downloading an update that fixed the vulnerability exploited by the worm.
You had to remove the worm, update the machine and, all while fighting the machine constantly trying to restart itself.
Windows 7 was not much better, installing Windows 7 using the latest build released by Microsoft required 100s of updates to be installed for the machine to be protected from known vulnerabilities and exploits.
I recently installed Windows 7 (SP1) on a VM to test some legacy PowerShell functionality and I had 171 important updates to install totalling 1.5GB. Ugh!
Microsoft would release a build of Windows that would require updates to be installed over time. As vulnerabilities were found in the product, updates would be released to address these vulnerabilities. However, after installing a fresh version of Windows you would have years of updates to install for your machine to be secure from the malware sprawling the internet.
Microsoft tried addressing this by releasing service packs. However, that meant you needed to install the service pack, then years’ worth of updates for your machine to be current.
Timeline of Microsoft Windows Release Dates
Here is a timeline of major windows operating system releases going back to Windows 1.0.
Windows 10 Update Model
With Windows 10, Microsoft moved to a new update model in 2015 and this has proven to be far superior.
Microsoft now releases Windows 10 “feature” updates on a bi-annual basis (March and September updates) that contain all the security fixes from the previous updates.
Figure 1 – Windows 10 update schedule and methodology
Each new feature update has a lifecycle of 18 months (September update for Enterprise and Education editions being an exception which is serviced for 30 months), meaning that you must update to a new feature update at least once every 1.5 years else your version of Windows 10 will fall out of Microsoft support.
Due to this new update methodology, when you install a new version of Windows 10 from a current ISO downloaded directly from Microsoft, you are a maximum 6 months out of updates, which may be just a handful of updates to download and install.
What is the difference between feature and quality updates?
Feature updates are effectively new versions of Windows. Each feature update increments the major version of the OS build while the quality updates increment the minor version of the OS build.
Figure 2 – Windows 10 feature updates
Feature updates not only contain all the previously released security and quality fixes but also contain major changes to the Windows OS.
For example, with Windows 10 version 2004 there have been major improvements with Windows Update for Business, Cortana, Windows Sandbox and more.
Quality updates are monthly patches that get released on 2nd Tuesday of every month (also known as patch Tuesday) these updates contain security fixes, and other bug fixes that get released to Windows devices on monthly cadence.
Both quality and feature updates are cumulative meaning that installing the latest Feature update will rollup all previous feature and monthly updates (up to the release of the feature) and quality update will roll up all the previous quality updates.
Windows 10 Update Types
To decrease the amount of data that is needed to download by each machine to accommodate cumulative updates Microsoft have designed 3 update types.
Full updates have all the necessary components and files that have changed since the last feature update. We refer to this as the latest cumulative update, or LCU. It can quickly grow to a little over 1 GB in size, but typically stays that size for the lifetime of that supported version of Windows 10.
Express updates generate differential downloads for every component in the full update based on several historical bases. For example, the latest May LCU contains tcpip.sys. We will generate a differential for all tcpip.sys file changes from April to May, March to May, and from the original feature release to May. A device leveraging express updates will use network protocol to determine optimal differentials, then download only what is needed, which is typically around 150-200 MB in size each month. Ultimately, the more up to date a device is, the smaller the size of the differential download. Devices connected directly to Windows Server Update Services (WSUS), System Center Configuration Manager, or a third-party update manager that supports express updates will receive these smaller payloads.
Deltaupdates include only the components that changed in the most recent quality update. Delta updates will only install if a device already has the previous month’s update installed. For example, assume in May that we changed tcpip.sys and ntfs.sys, but did not change notepad.exe. A device that downloads the delta update will get the latest version of tcpip.sys and ntfs.sys, but not notepad.exe. Delta updates include the full component (not just the individual files) that changed. As a result, they are larger than express updates, often around 300-500 MB in size.
Using Telemetry to Identify and Fix Issues
Another related capability with Windows 10 is telemetry. Microsoft collects diagnostics data from Windows 10 machines around the world to identify issues with Windows 10 and address them with future builds. This data is also used to make decisions around which machines should be delayed from receiving new feature updates (due to driver or hardware compatibility issues).
For example, Microsoft have delayed 2004 version of Windows 10 from specific surface devices for 2 months to address known issues with Windows 2004 on surface devices.
This telemetry can be leveraged by customers that have SCCM in place via the use of Desktop Analytics.
Safer, Simpler, and User Friendly
This new update approach means that your system is not vulnerable to 5-year-old malware that is abusing a 0-day vulnerability and still spreading itself over the internet.
The new update mechanism makes it a simpler user experience to get a deployed machine up to date with the latest updates.
With Windows 10, this is what allows you to move away from the lengthy process of building system images and injecting them with updates, to a configurational model where a system can be deployed directly to the user with a current build of Windows 10 from the OEM and updates can be downloaded directly from Microsoft.
Unfortunately, as Microsoft has adopted this new update methodology we’re still at a mercy of OEMs. OEMs may build machines with an older feature update version of Windows 10 or the machine may simply sit in a warehouse for an extended period of time meaning that it will be severely out of date by the time it gets into the users hands.
So, while Microsoft is on the right path there is still a way to go due to delays with processes with various OEMs
Bringing updates under control
This brings me to the final point, for decades organizations have managed Windows update internally by leveraging WSUS, SCCM and other 3rd party update services. However, with all the improvements around the Microsoft update process and Windows 10 it is now possible to “outsource” the update mechanism to Microsoft.
Rather than downloading updates to a local repository in organizational network we can have machines call out directly to Microsoft and download updates from Microsoft.
We can deploy controls to the machine to identify how and when it should deploy updates and stage update rollout across the organization to ensure that if there are bad updates or update incompatibility with internal applications that this can be identified early and resolved.
In my next blog I’ll be outlining how to leverage Intune and Windows update rings to control Windows Update for Business in your business.
Interested in switching from SCCM to Intune?
Are you considering making the switch from traditional Windows management using imaging, to modern remote management using Microsoft Intune? Contact us to speak with Daniil or another Microsoft certified engineer. We offer a free one-hour consultation where you can learn more about how Intune works and how it can benefit your IT team and business.
Daniil has been working in information technology for over 10 years across a number of different industries. He is very passionate about new technology, solving technological puzzles and architecting solutions.