• United States



Contributing Writer

How to prepare for the Microsoft Windows 10 1903 security feature update

Apr 03, 20194 mins
SecuritySmall and Medium BusinessWindows

Microsoft is changing the way it does Windows 10 feature updates, and that will affect how you schedule update deferrals. Here's what you need to know.

Microsoft Windows update arrows / progress bars
Credit: IDG Communications

In May, Microsoft is expected to release the next Windows 10 feature update, known as 1903. I’m getting ready for it by making sure I have the downloads and deferrals in place so I can install it when I want to install it. Changes that Microsoft is making regarding feature release dates might mean rethinking how you manage update deferrals.

While I’m a fan of Microsoft’s Windows 10 “Windows as a service” process that eliminates waiting for massive service packs, I don’t want to leave it to Microsoft to deem my systems ready for the update release. Microsoft should be commended for making necessary adjustments to deferrals and support windows, but it is confusing to keep track of feature update releases, their issues and what third-party programs they don’t support.

Recently, Microsoft has been providing more information about blocking issues that impact the roll out of feature releases. With Windows 10 1809, you can track the blocking issues at KB4464619. You’ll want to review the additional information you can obtain at all the Windows 10 update history pages as noted in this blog.

If you’ve been waiting until Microsoft declares a feature release “ready for business,” be aware that with the upcoming 1903 release Microsoft will no longer use the Semi-Annual Channel Targeted (SAC-T)  or Semi-Annual Channel (SAC) designations. SAC-T indicated an early-stage feature release. When Microsoft deemed that vendor support was broad enough, they declared the release SAC.

If you had set your deferral settings to install feature releases after they were declared SAC, then the Microsoft update offered them to your machines if Windows Server Update Service (WSUS), System Center Configuration Manager (SCCM) or a third-party patching tools did not manage your updates. As recently announced, Microsoft will no longer use the SAC-T and SAC designations. Instead, there will be one release date starting with 1903, and you can set deferrals from that date forward if you use Windows Update for business settings to defer feature releases.

bradley 1903 Susan Bradley

Revised Windows 10 deferral GUI after the 1903 update

I use the deferral settings to push off the update and then install the feature release using a silent scripting process. I find this more efficient as I set the exact date that the feature release will be installed. By that time, I’ve done my testing and ensured my vendor support is valid. It also gives me the ability to set a specific maintenance window for the installation and I can communicate to users that the upgrade will take place.

Here’s what I’m doing in anticipation of the imminent release of 1903 for Windows 10 coming up in May.

  1. Review feature release deferral settings. I never install feature releases when they initially come out on production machines. I first ensure that I either have a deferral setting in place using WSUS, SCCM or a third-party patching tool that allows me to push off updates to a time when they are efficient for my firm.
  2. Ensure that I have an ISO download of the current feature release and the one previous parked on a network location or on a flash drive. Before 1903 comes out, I’ve made sure I have downloaded the 1809 ISO from the Microsoft media site. This is key if you are firm without a volume license agreement. Those with VL agreements can download any version of Windows 10. Those without VLs must make sure they have an ISO from the media download site.
  3. Use scripting to silently install the Windows 10 update on machines that are networked. I download and extract the media from the media site, extract the ISO and then use various scripts. For example, you can call Setup.exe with silent switch (/auto upgrade /quiet). You can use H:setup.exe /auto upgrade /quiet. This ensures that the install won’t wait for a user to log in to complete the install. You can even use scripts with product keys to do in-place upgrades from the command line.

You may wish to check out new ways to deploy and restore including Windows Autopilot, which is Microsoft’s preferred method to deploy systems. For more information and community guidance, Microsoft has a Reddit subthread on the topic.

Bottom line: Take action now before 1903 is released to set the deferral setting in Group Policy or via registry settings.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author