In this post, we will walk you through ways to optimize the delivery and deployment of Windows monthly quality updates (aka patches) to remote devices in your organization. We will offer specific recommendations on minimizing update size and bandwidth utilization, increasing update speed and consistency, and reducing the impact and dependency on end users.
Microsoft has published guidance around the solutions and opportunities IT professionals can leverage to keep remote workers safe, secure, and productive, the majority of which can be found on Microsoft's COVID-19 response page. For example, in Rob York’s recent blogs on Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager and Managing Patch Tuesday with Configuration Manager in a remote work world, he shared prescriptive guidance on virtual private network (VPN) configurations to help manage Windows updates for remote work environments. He also discussed remote device management scenarios using a Cloud Management Gateway (CMG) and Cloud Distribution Point (CDP) in Microsoft Endpoint Configuration Manager for organizations with or without a split-tunnel VPN.
Update management is a journey
Optimally, all your devices would be running the latest, or near latest, version of Windows 10—and receiving monthly quality updates from Windows Update, either directly from the internet or through the internet side of a split-tunnel VPN.
If you use Windows Update for Business today and run Windows 10, version 1903 and above, you are already getting the most optimized servicing for Windows quality updates and no further action is required.
We know, however, that many of you are running a mix of Windows 10 versions and looking for guidance on how better to manage updates across your overall device ecosystem. We also know that many of you are not using split-tunnel VPN yet. We understand that making major changes to your deployment processes during the current situation may be considered a risk. With that in mind, we want to help you to better support your remote workers and their devices.
Windows 10 has evolved considerably over the past five years, and we continue to actively invest in making the Windows 10 update process easier with each release. Based on feedback from our customers, we have improved the update process and reduced the size of the update package. The rest of this post will walk you through those improvements and how you can take advantage of them.
Minimizing update size and bandwidth consumption
When managing and distributing updates via on-premises tools like Windows Server Update Service (WSUS) and/or Configuration Manager over your organization’s network or VPN, bandwidth consumption becomes an increasing concern.
The key to reducing bandwidth consumption is minimizing the size of the monthly update download for each device by including only the changes needed to make the device current, patched, and protected as opposed to downloading the full cumulative update. Microsoft offers this through Express updates, which download only the changes needed for a given device, reducing the download size by up to 80-85%. This section will walk you through steps to reduce bandwidth consumption.
Note: If a device is configured to receive monthly updates directly from the Windows Update service, such as through Windows Update for Business, files automatically leverage Express updates by default. |
Update optimizations in Windows
If you are not yet leveraging a cloud-based update strategy and are, instead, deploying updates to devices using on-premises WSUS and BranchCache with Configuration Manager, here is some guidance.
For organizations with devices running versions of Windows 10 earlier than version 1809, enabling express installation of updates will save substantial download bandwidth for each client device, but comes with an increased requirement for storage space on your distribution points and servers. With the servicing improvements included in Windows 10, version 1809 and later, not only do you benefit from a reduced client download size, but also from a substantial reduction in storage space usage on your distribution servers.
Figure 1. Comparison chart showing the size of updates comparing the full update size to the Express update size
For devices running Windows 10, version 1809 or later
Starting with Windows 10, version 1809, we made improvements to the update stack technology so that all devices, regardless of the management tool being used, receive a minimized client download experience, along with reduced file size distribution for WSUS and BranchCache. These improvements can be leveraged by all Microsoft and third-party deployment and management tools, including “home grown” applications and processes. You simply need to be running Windows 10, version 1809 or later, or in the case of Windows Server, Windows Server 2019 or later.
For more information on these improvements, see Windows Updates using forward and reverse differentials.
For devices running Windows 10, version 1803 or earlier
Express installation files are available for devices running Windows 10, version 1803 or earlier. Configuring express installation files is easy. If you are using Configuration Manager to update your devices on premises, then you need to enable “Express updates” in Configuration Manager. For more details and requirements, see Manage express installation files for Windows 10 updates.
While the initial download to Configuration Manager is larger (as shown above), and will require more disk storage on your distribution points, the package file size for each individual endpoint will be much smaller.
Increase monthly update velocity; minimize end user interruptions
Download optimization is only one aspect of update management. We hear from many of you that your increasing being tasked with accelerating the rollout and deployment of the monthly patches to adhere to your company’s security policies. .
As an IT professional, you need to strike a balance between timely software updates and keeping workers productive. This is, perhaps, even more true today as we learn to support and manage an increasing number of remote workers. Microsoft makes these same choices when determining when and how to roll out Windows updates, and have created management options for you to both deliver a better user experience and faster rollout.
The device update process has four phases:
- Scan. A device checks Windows Update or your WSUS endpoint at random intervals to see if any updates have been added since the last check, and then evaluates whether the update is appropriate by checking the configurations (e.g. Group Policy) that have been set by the administrator. This process is invisible to the user.
- Download. Once the device determines that an update is available, it downloads the update. This process also is invisible to the user.
- Install. Following the download of the update, depending on the device’s Windows Update settings, the update is installed on the system.
- Commit and restart. Once installed, the device usually (but not always) requires a restart to complete the installation of the update and implement any fixes or improvements included therein.
At each stage of this process, there are opportunities for you to increase velocity via policy and settings. If you have an increased number of users working remotely, note that there are likely new variables and new opportunities to adjust and fine-tune as device and device usage behaviors have likely seen some change from on prem scenarios. For additional details for configuring these options, as well as our recommendations on how best to increase update velocity, see Optimizing Windows 10 update adoption.
Managing updates in the cloud versus on premises
The tactics outlined above help you realize immediate improvements in the areas of package download size and bandwidth impact while keeping your devices up to date. As you look ahead, we recommend that you move toward a cloud-managed update approach, utilizing co-management as a first step; for example, using Intune to manage updates from the cloud in tandem with Microsoft Connected Cache or Delivery Optimization for caching.
For greater efficiency and control, you can integrate Windows Update for Business with Microsoft Intune or Configuration Manager. With Windows Update for Business, you can configure devices managed by Configuration Manager or Intune to receive and download updates directly from Microsoft. This helps you move traffic off the network and through the internet, increasing update speed and reducing bandwidth consumption. In fact, devices configured to receive updates automatically through Windows Update or Windows Update for Business get current at twice the velocity of those receiving updates through on-premises processes.
Windows Update for Business also increases confidence that your devices will receive other updates or drivers they might be missing. Additionally, using split-tunnel VPN internet access to update remote devices can ensure a better end user experience while keeping corporate resources protected. Split-tunnel VPN is an option for both hybrid and cloud-based environments.
For detailed guidance on using Group Policy or mobile device management (MDM) to configure Windows Update for Business settings, see Configure Windows Update for Business.
Keeping Office 365 ProPlus up to date is equally important, as these updates keep remote workers productive and benefiting from the latest features and capabilities. This is yet another reason to embrace cloud-based management practices and deploy updates directly from the cloud. Utilizing the Office Deployment Tool and the Office CDNs, as opposed to pulling bits over your organization's WAN and VPN connection, you can minimize bandwidth impact.
Final thoughts
Securing the devices and underlying operating systems across your organization is foundational to your remote workers being able to operate effectively and support continuity to your business operations. Deploying Windows 10 monthly quality updates, as well as any out-of-band updates that may be released to address emerging threats, is an important part of keeping your devices secure and keeping your infrastructure compliant. As outlined above, moving toward a cloud-based update management strategy will enable you to reduce the bandwidth impact of those updates, regardless of home connectivity and WAN configurations, while keeping devices up to date.