Patch Management Support for Microsoft Windows 10 Cumulative Updates
Last Updated April 03, 2018
Microsoft Windows 10 OS systems are designed to install cumulative updates automatically; unless the device does not have Internet access or has the Windows Update service set to ‘Manual’ mode.
Advisory: Patch Management Solution may require the Windows Update Service be set to 'Manual' mode minimum to be able to install Software Updates as outlined on TECH41678 (process under review; ensure to test process before production deployment).
Searching for Windows Cumulative Updates in Patch Remediation Center
Windows 10 updates are categorized as "Cumulative Security Windows Update" and have been given the naming convention of MS##-W10-##
Example: April 2017 release displays MS17-W10-04
Note: Prior to 4/12/2017 will be listed as CSWU-###.
KB Article ID: INFO3144 – “Windows 10 - Cumulative Security Update Names in Patch Remediation Center” is also available to search by Microsoft KB or Bulletin name.
Compliance Reports for Windows 10 Cumulative updates
Compliance by Bulletin Report will display the total count of applicable/vulnerable/installed Software Updates.
Compliance by Update Report will display the individual Software Update KB compliance.
Can individual updates within a cumulative update be applied without applying the whole?
Individual updates within a cumulative update cannot be excluded as this is a result of the way that Microsoft packages the Windows 10 updates. This issue has been well documented in the industry press. However, the individual Software Update Package may be distributed via Software Management to the vulnerable clients if specific Software Update deployment is required for the environment.
Setting the “Defer” option can be done using a group policy.
Examples to set the ‘Defer’ option can be found on the web by searching “Windows group policy to defer Windows 10 updates”
Possible script to programmatically configure Windows Update to defer (not tested)
To know if a device is on CBB or CB, you need to read ./Vendor/MSFT/Update/DeferUpgrade CSP if 1 = CBB if 0=CB
Note: Microsoft Feature Updates for Windows 10 are now supported and documented separately in INFO3298, and DOC9422.
Advisory: The availability to install Windows 10 updates is based off of these configuration options within Windows Update. If the Windows 10 version can be set to ‘defer’ the update Patch Management can be used.
The Windows 10 Home Edition can only be serviced by the Current Branch, meaning Windows Update does not offer an option to defer feature updates on Windows 10 Home Edition
The Windows 10 Pro, Educational and Enterprise Editions can be serviced by the Current Branch or the Current Branch for Business, meaning that Windows Update offers the option to defer feature updates on these operating systems but not the option to prevent feature updates from being installed entirely
Windows 10 Enterprise Long Term Service Branch (LTSB) Edition: Similar to Windows 10 Enterprise but does not include Cortana, Windows Store, the Edge browser, Photo Viewer and the UWP version of Calculator (replaced by classic version), and will not receive any feature updates. This gives companies more control over the update process. Windows 10 Enterprise LTSB also lacks the same components absent in other variants, and it is the most stripped down edition of Windows 10 available.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe