Cool Solutions

Deploying Windows 10 Feature Updates via ZENworks Patch Management

Darrin VandenBos

By:

October 12, 2016 3:04 pm

Reads:4,657

Comments:8

Score:5

Print/PDF

In a previous article I explained that the ZENworks Patch Management content feed includes Windows 10 quality updates (security and reliability patches) but not Windows 10 feature (version) updates. For example, the feed includes quality updates for Windows 10 Version 1511 and Version 1607 (the Anniversary Update), but does not include the feature update to go from Version 1511 to Version 1607.

Even though the content feed does not include feature updates, you can still use ZENworks Patch Management to deploy Windows 10 feature updates. The process includes a few additional steps on your part but allows you to automate the deployment of the feature update while using the Not Patched status to track which devices need to be updated.

The basic process is this:

  1. Get the Windows 10 feature update ISO from your normal Windows OS distribution source.
  2. Extract the ISO to a location (for example, a network share) that can be accessed by the Windows 10 devices being updated. The devices need to be able to run the update executable from this location.
  3. In ZENworks Control Center, create a Windows bundle that launches the update executable.
  4. Create a custom patch containing the Windows bundle.
  5. Deploy the custom patch via a Patch policy or a manual remediation.

The remainder of this article shows how to use this process to update devices from Windows 10 Enterprise Version 1511 to Version 1607 (the Anniversary Update).

Getting a Windows 10 ISO

You need to download the Windows 10 ISO from a source such as the Volume Licensing Service Center, the MSDN Portal, or the Academic Products page. For example, I get my Windows 10 ISOs from my MSDN account.

Be aware that there are different ISOs for different editions (Professional, Enterprise, Education, and so forth) as well as a multiple edition ISO. The multiple edition ISO doesn’t always include ALL editions; if you want to use the multiple edition, review the detail description to ensure that it includes the editions you need. And, of course, you need to get the correct ISO for the architecture (x86 and x64) and OS language of your devices.

For this article, I used the Windows 10 Enterprise, Version 1607 (Updated Jul 2016) (x64) – DVD (English) ISO with the following filename:

en_windows_10_enterprise_version_1607_updated_jul_2016_x64_dvd_9054264.iso

Extracting the ISO to a network location

Your Windows 10 devices need to run the update executable from somewhere on your network. In my lab environment, I chose to copy the contents of the ISO to a Win10ent_1607update_x64 folder on my ZENworks Server and then share the folder (read access) with a local server account called WindowsUpdateAdmin.

I also defined the WindowsUpdateAdmin account credentials in the ZENworks Control Center Credentials Vault to make the credentials available when installing the feature update.

My configuration worked for my lab environment. Obviously, you’ll need to find the appropriate access solution for your lab and production environments.

Creating a Windows Bundle for the Branch Update

In ZENworks Control Center, you need to create a Windows bundle that launches the feature update executable from your network location.

  1. Create a new Windows empty bundle:
    1. In the Bundles list, click New > Bundle to launch the Create New Bundle Wizard.
    2. For the Bundle Type, select Windows Bundle.
    3. For the Bundle Category, select (Empty Bundle).
    4. Give the bundle a name. For my bundle I used Win10ent 1607 Update – x64.
    5. Select the Create as Sandbox option and leave the Define Additional Properties option selected so that the bundle is created as a sandbox version with the bundle properties displayed.
      .
  2. Add an Install – Launch Executable action:
    1. In the Actions tab, click the Install tab.
    2. Click Add > Launch Executable to display the Add Action – Launch Executable dialog box.
      .
    3. In the Command field, add the UNC path to the feature update setup.exe file. For example, \\win2012server\win10me_1607update_x64\setup.exe.
    4. In the Command Line Parameters field, add the following: /auto upgrade /quiet.
      .
      These parameters force the setup program into silent upgrade mode.
    5. In the Working Directory field, add the UNC path to the setup.exe directory. For example, \\win2012server\win10me_1607update_x64\.
      .
      The configuration for my bundle looked like this:
      .
    6. Click the Advanced tab.


      .

    7. Select the When action is complete option.
    8. Select the Run as dynamic administrator option, then select the credential you added to the Credential Vault to provide access to the setup.exe. In my case, this was the WindowsUpdateAdmin credential.
      .
    9. Click OK to add the Launch Executable action.
    10. Click Apply to save the action. Your bundle should now look similar to the following screenshot.
      .
    11. Click the Requirements tab, add the requirements that the device must meet in order for the feature update bundle to apply, then click Apply to save the requirements.
      .
      In my case, I wanted the feature update to be applied to 64-bit Windows 10 machines running the Enterprise version of the original Windows 10 release (build 10240) or the 1511 release (build 10586). I used the Registry Key Value condition to check that the CurrentBuild value (String Type) of the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion key was either 10240 or 10586 and that the EditionID value (String Type) was Enterprise.
      .
    12. Click Publish to publish the bundle.
      .

At this point, you could simply assign the bundle to the Windows 10 devices you want to update. After refreshing and getting the bundle assignment, the devices would launch the setup program and install the feature update.

However, if you include the bundle in a patch (as explained in the next sections), you can use Patch Management to track which Windows 10 devices need the the update applied.


Update: 29 Nov 2016

Using the method described above, as soon as the feature update is applied to a device, it is removed from the Not Patched count; however, because the device also no longer meets the system requirements for the bundle, it also does not appear in the Patched count. As a result, you can see what devices don’t have the feature update installed yet (Not Patched) but you can’t see the devices that do have the update installed (Patched).

Recently, it was brought to my attention that you can make both the Not Patched and Patched counts accurate by using a combination of the bundle’s System Requirements and the Launch Executable action’s Requirements.

  1. Change the bundle’s System Requirements to include only the architecture, operating system, and Windows version.The bundle’s System Requirements determine the devices on which the bundle is effective. In this case, the bundle will be effective on all Windows 10 Enterprise 64-bit devices. Even after the bundle is applied and the device is updated to the 1607 build, the bundle is still effective on the device, which allows the Patched/Not Patched status to be reported for the device.

  2. Edit the Launch Executable action’s Requirements to specify the build values (10240 and 10586) as Registry Key Values.The Launch Executable action’s Requirements determine on which Windows 10 Enterprise 64-bit the bundle will run. In this case, it will only run on devices that have CurrentBuild versions of 10240 or 10586.


Creating a Custom Patch

You now need to create a custom patch that includes the Windows bundle containing the feature update. Using a patch to distribute the feature update bundle allows you to use Patch Management to track which devices have the patch applied and which ones do not.

  1. In ZENworks Control Center, click Patch Management.
  2. Click the Patches tab.
    .
  3. In the Patches list, click New to launch the Patch wizard.
  4. In the Name field, select the Windows bundle you created for the feature update.
    .
  5. Select the Impact level for the patch, specify a Vendor name, and select Requires Reboot.
    .
  6. Finish creating the patch.

You are now ready to deploy the feature update patch to devices.

Deploying the Patch

You can deploy the patch via a manual remediation or a Patch policy.

Manual Remediation

  1. In ZENworks Control Center, click Patch Management.
  2. Click the Patches tab.
    .
  3. In the Patches list, select the check box in front of the update (Win10ent 1607 Update – x64 in the above example), then click Action > Deploy Remediation.
  4. Select the devices to which you want to deploy the update (by default, all applicable devices that don’t have the update installed are selected), then complete the wizard.
    .
    While completing the wizard, you can schedule the update to be installed immediately or at a later date.

Patch Policy

  1. In ZENworks Control Center, click Patch Management.
  2. Click the Patch Policies tab.
  3. In the Patch Policies list, click New to display the Create New Patch Policy wizard.
  4. Specify a Patch Policy name. For my Patch policy I used Windows 10 1607 Update.
    .
    I left Enterprise out of the title so that I could also use the policy to deliver feature updates for other Windows 10 editions, such as Professional. Because the bundle system requirements control which devices an update is applied to, I can have the policy include multiple patches, such as one for Enterprise devices and one for Professional devices or even one for 32-bit devices and another for 64-bit devices.
  5. Do not add any Patch policy rules.
  6. Complete the wizard, selecting the Define Additional Properties option so that the Patch policy is displayed after it is created.
    .
  7. Click the Members tab, then click Add to add the patch you created for the feature update. In my case, this is the Win10ent 1607 Update – x64 patch.
    .
  8. Click the Relationships tab and assign policy to Windows 10 devices.
    .
    I assigned the policy to the Windows 10 dynamic group. This assigned the policy to all Windows devices. However, because the bundle requirements specify that the operating system must be Windows 10 Enterprise x64 build versions 10240 or 10586, the update is applied only to those Windows 10 devices that meet the requirements.
    .
  9. Click Publish to publish the policy.
    .
    Devices will receive the policy and apply the feature update based on the Patch policy schedule configured for your zone.

 

 

2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Tags: , , ,
Categories: Unified Endpoint Management, ZENworks, ZENworks Patch Management, ZENworks Suite

8

8 Comments

  1. By:whenz

    great how-to, thank you

  2. By:clajes

    Great guide thanks, I am getting stuck on UAC though when I use “Run as current user” I can accept the message but that doesn’t help for silent deployment. The usual no zone check variable does not seem to suppress the UAC message. Any ideas?

    • By:Darrin VandenBos

      Unfortunately, you can’t use the “Run as logged-in user” option because the Windows 10 setup requires Admin rights and it will trigger UAC (as you found out). You have to use the “Run as Dynamic Administrator” option with a user that provides administrator rights on the machine.

      • By:clajes

        Hi, Thanks for your response. Sorry I didn’t make it clear when I “Run as dynamic administrator” the setup process starts but just sits there for hours doing nothing. I thought the UAC message may be supressed waiting for confirmation to continue.
        Thanks

    • By:Darrin VandenBos

      Does the local user you are referencing as the dynamic administrator have administrator rights on the machine? The local user must be an admin equivalent.

  3. By:heikkikyle

    This method does not work for feature updates to 1703

  4. By:heikkikyles

    The update fails and restores the previous OS version each time. I have it narrowed down to something related to using the dynamic administrator. We are using 2017U1

Comment

RSS