This article includes information concerning the support of Patch Management for Microsoft Windows 10 Cumulative Updates information

PM 8.x

Microsoft Windows 10 operating systems are designed to install cumulative updates automatically, unless the device does not have Internet access or has the Windows Update service set to ‘Manual’ mode.  

Advisory: Patch Management Solution may require the Windows Update Service be set to 'Manual' mode minimum to be able to install Software Updates as outlined in KB article Software Update Cycle fails to install updates on Windows Server and Windows 10 clients (ensure to test process before production deployment).

Searching for Windows Cumulative Updates in Patch Remediation Center:

• Windows 10 updates are categorized as "Cumulative Security Windows Update" and have been given the naming convention of MS##-W10-##
  • Example: April 2017 release displays MS17-W10-04
  • Note: Prior to 4/12/2017 will be listed as CSWU-###.

Compliance Reports for Windows 10 Cumulative updates:

• Compliance by Bulletin Report will display the total count of applicable/vulnerable/installed Software Updates.
• Compliance by Update Report will display the individual Software Update KB compliance.

Can individual updates within a cumulative update be applied without applying the whole?

• Individual updates within a cumulative update cannot be excluded as this is a result of the way that Microsoft packages the Windows 10 updates.  This issue has been well documented in the industry press. However, the individual Software Update Package may be distributed via Software Management to the vulnerable clients if specific Software Update deployment is required for the environment.

Setting the “Defer” option can be done using a group policy:

• Examples to set the ‘Defer’ option can be found on the web by searching “Windows group policy to defer Windows 10 updates”
  • Computerworld shows step by step settings in their article How to defer upgrades and updates in Windows 10 Pro 
  • Possible script needed to programmatically configure Windows Update to defer (not tested)
    • To know if a device is on CBB or CB,  you need to read ./Vendor/MSFT/Update/DeferUpgrade CSP if 1 = CBB if 0=CB

Note: Microsoft Feature Updates for Windows 10 are now supported and documented separately in KB article Patch Management Solution: Windows 10 - Microsoft Feature Pack Support.

Advisory: The availability to install Windows 10 updates is based off of these configuration options within Windows Update.  If the Windows 10 version can be set to ‘defer’ the update Patch Management can be used:

• The Windows 10 Home Edition can only be serviced by the Current Branch, meaning Windows Update does not offer an option to defer feature updates on Windows 10 Home Edition
• The Windows 10 Pro, Educational and Enterprise Editions can be serviced by the Current Branch or the Current Branch for Business, meaning that Windows Update offers the option to defer feature updates on these operating systems but not the option to prevent feature updates from being installed entirely

Windows 10 Enterprise Long Term Service Branch (LTSB) Edition: Similar to Windows 10 Enterprise but does not include Cortana, Windows Store, the Edge browser, Photo Viewer and the UWP version of Calculator (replaced by classic version), and will not receive any feature updates. This gives companies more control over the update process. Windows 10 Enterprise LTSB also lacks the same components absent in other variants, and it is the most stripped down edition of Windows 10 available.