Introduction
This article discusses the different methods used to patch and update Windows 10 using Patch and Compliance Manager.
Microsoft releases updates in different ways and has recommendations on the cadence that should be used by businesses in different scenarios.
Windows 10 servicing options for updates and upgrades (Windows)
There are several methods that can be used to update Windows 10 through Patch and Compliance Manager. Ivanti typically addresses these updates in the following ways:
Types of available patch definitions
Servicing Updates
These updates focus on Security and other important updates. These updates are the "Patch Tuesday" updates that have been known in the past. They are released every 2nd Tuesday of the month and they typically contain approximately 5-15 important updates. So these updates do not differ from the past methodology with older Microsoft Operating Systems.
Ivanti typically releases content within 1-2 days after the content is published by Microsoft with very rare exceptions.
This information can be found in the Patch for Endpoint Manager Content Notifications section of the Ivanti Community. Ivanti administrators are encouraged to subscribe to the RSS feed from the Community space.
At the time of this writing, this is the listing of Windows 10 cumulative patches:
- Note that the top two fixes have the same publish date. This is due to the updates applying to the two different versions currently released: Windows 10, and Windows 10 Version 1511
These versions are also known by their build numbers (Windows 10 flat: 10240, Windows 10 1511 update: 10586.164
It is important to note that these are cumulative fixes. That means that the latest cumulative fix contains files and fixes from all prior cumulative fixes.
As such, the cumulative fixes increase in size each time. The latest one as of this writing was 640 meg, so the Peer Download and Preferred download technologies in Ivanti Management Suite are well suited for this.
For information about the patch itself and the fixes contained in the patch, you should double-click the definition and go to the Description tab.
- Shows the description of the patch. This is mostly a list of the hotfixes that have been rolled up into a cumulative patch.
- Shows additional details.
- CVE ID - This link will take you to the "Common Vulnerabilities and exposures" web site with more information about these fixes.
As you will notice, there is a drop-down next to the "More information for CVE ID". This is because there are a number of vulnerabilities that are covered by the cumulative patch.CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."
- Also there is the assigned CVSS score for the vulnerabilities addressed in the patch.
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat.
- The "More information at" link will take you to the Microsoft Article about this update. In this case: https://support.microsoft.com/en-us/kb/3140745
- CVE ID - This link will take you to the "Common Vulnerabilities and exposures" web site with more information about these fixes.
Major Updates
Major updates are used in the Current Branch for Business methodology. This is for environments where a longer pilot testing period is desired prior to deploying. Windows 10 version 1511 is an example of such an update. These updates are expected ~ every 4 months or so.
Currently, this update is available in Ivanti Patch and Compliance Manager:
Finding Windows 10 RTM or Windows 10 Version 1511 devices
There are two definitions that can be used to find either Windows 10 Version 1511 installations or Windows 10 RTM installations (non-updated)
Disable or Enable Automatic updates in Windows 10
In addition there are two definitions for enabling or disabling Automatic Updates in Windows 10.
Future Consideration - Long Term Servicing Branch
This Windows installation should be used for devices that will remain in a more static state for a much longer period of time. Examples would be Point of Sale devices, devices used in Healthcare and other devices.
This branch essentially is only updated when the next long-term version of Windows is released. For example, if the next Windows version that Microsoft released was called "Windows 11", at this time the LTSB branch would be updated, and this would likely be an entire OS update which would require much more testing and a longer phased rollout.
As such, Ivanti has not released an LTSB update as one is not expected until the distant future. More information will be available regarding utilizing Ivanti for updates to the LTSB version of Windows as that release approaches.