How to prepare for the Microsoft Windows 10 1903 security feature update

Microsoft is changing the way it does Windows 10 feature updates, and that will affect how you schedule update deferrals. Here's what you need to know.

Microsoft Windows update arrows / progress bars
IDG Communications

In May, Microsoft is expected to release the next Windows 10 feature update, known as 1903. I’m getting ready for it by making sure I have the downloads and deferrals in place so I can install it when I want to install it. Changes that Microsoft is making regarding feature release dates might mean rethinking how you manage update deferrals.

While I’m a fan of Microsoft’s Windows 10 “Windows as a service” process that eliminates waiting for massive service packs, I don’t want to leave it to Microsoft to deem my systems ready for the update release. Microsoft should be commended for making necessary adjustments to deferrals and support windows, but it is confusing to keep track of feature update releases, their issues and what third-party programs they don’t support.

Recently, Microsoft has been providing more information about blocking issues that impact the roll out of feature releases. With Windows 10 1809, you can track the blocking issues at KB4464619. You’ll want to review the additional information you can obtain at all the Windows 10 update history pages as noted in this blog.

If you’ve been waiting until Microsoft declares a feature release “ready for business,” be aware that with the upcoming 1903 release Microsoft will no longer use the Semi-Annual Channel Targeted (SAC-T)  or Semi-Annual Channel (SAC) designations. SAC-T indicated an early-stage feature release. When Microsoft deemed that vendor support was broad enough, they declared the release SAC.

If you had set your deferral settings to install feature releases after they were declared SAC, then the Microsoft update offered them to your machines if Windows Server Update Service (WSUS), System Center Configuration Manager (SCCM) or a third-party patching tools did not manage your updates. As recently announced, Microsoft will no longer use the SAC-T and SAC designations. Instead, there will be one release date starting with 1903, and you can set deferrals from that date forward if you use Windows Update for business settings to defer feature releases.

bradley 1903 Susan Bradley

Revised Windows 10 deferral GUI after the 1903 update

I use the deferral settings to push off the update and then install the feature release using a silent scripting process. I find this more efficient as I set the exact date that the feature release will be installed. By that time, I’ve done my testing and ensured my vendor support is valid. It also gives me the ability to set a specific maintenance window for the installation and I can communicate to users that the upgrade will take place.

Here’s what I’m doing in anticipation of the imminent release of 1903 for Windows 10 coming up in May.

  1. Review feature release deferral settings. I never install feature releases when they initially come out on production machines. I first ensure that I either have a deferral setting in place using WSUS, SCCM or a third-party patching tool that allows me to push off updates to a time when they are efficient for my firm.

  2. Ensure that I have an ISO download of the current feature release and the one previous parked on a network location or on a flash drive. Before 1903 comes out, I’ve made sure I have downloaded the 1809 ISO from the Microsoft media site. This is key if you are firm without a volume license agreement. Those with VL agreements can download any version of Windows 10. Those without VLs must make sure they have an ISO from the media download site.

  3. Use scripting to silently install the Windows 10 update on machines that are networked. I download and extract the media from the media site, extract the ISO and then use various scripts. For example, you can call Setup.exe with silent switch (/auto upgrade /quiet). You can use H:\setup.exe /auto upgrade /quiet. This ensures that the install won’t wait for a user to log in to complete the install. You can even use scripts with product keys to do in-place upgrades from the command line.

You may wish to check out new ways to deploy and restore including Windows Autopilot, which is Microsoft’s preferred method to deploy systems. For more information and community guidance, Microsoft has a Reddit subthread on the topic.

Bottom line: Take action now before 1903 is released to set the deferral setting in Group Policy or via registry settings.

Copyright © 2019 IDG Communications, Inc.

The 10 most powerful cybersecurity companies