In the Enterprise, the most common method of configuring Windows Computers is to use Group Policy. Group Policies are settings that are pushed into a computer’s registry to configure settings and behaviors that fit the enterprise’s operational methodologies. This is one of the advantages of Windows Computers that has been around since Windows NT 4.0 Service Pack 4 and is still the chosen method to manage Windows 10
In this lab, we will use a Group Policy Object (GPO) to move between Service Rings and control how updates are applied or deferred. If you are currently using WSUS or Configuration Manager you can continue to use those technologies and
methodologies as you always have.
Microsoft is also introducing Windows Update for Business which is a cloud service designed for End User Devices in businesses and will provide Distribution Rings, Maintenance Windows, Peer to Peer Delivery and all of this will integrate with existing tools like System Center, Orchestrator and Windows Management Instrumentation.
Table of Contents
Overview
Exercise 1
The Windows Update Settings Configure a Group Policy Test the Group Policy Setting
The exercises in this lab focus on creating a Group Policy Object that allows the System Administrator to control how updates are applied. Updates in Windows 10 are delivered in an ongoing cadence that offers customers new capabilities as they become available, this is known as Windows as a Service. New security threats, the need for new capabilities and new employee behaviors have started to dictate a different methodology in how systems and computers are managed. In the consumer world there is an acceptance that devices are regularly updated but in a more controlled environment like a hospital or bank updating and system changes need to be controlled and rigidly managed.
Within Microsoft this process is happening in the form of branches. The Engineering team will build out some new functionality and test as a first branch, the changes are then passed on to willing Microsoft users who form the next branch before being passed to the Windows Insider Program branch. At this stage the updates are now being tested by several million users and ready to be passed onto the Current Branch which consists of 100s of millions of users who are generally your pilots and early adopters. This is then passed to Current Branch for Business where organizations can make decisions on how and when they will deploy updates and changes. It is within this branch that you can build your own Rings and do phased deployments into your business or corporate environment. It is possible that the Insider to Current Branch for Business exists within your organization and this is then seen as the pilot, testing and validation which would be similar to the regular update process.
In the addition to the above Windows Enterprise customers with a Volume License Agreement tied to Software Assurance introduces the Long Term Service Branch (LTSB) which mimics the typical method that OS updates are currently handled. Microsoft will release an LTSB version of the OS every 2 to 3 years that integrates the Current Business and Current Branch for Business updates and feature changes and offer it to customers.
For the purposes of this lab the Windows 10 Policy Definitions have been installed on the Domain Controller.
The exercises in this lab include:
Exercise 1: Windows Update controls in the Settings Menu
Exercise 2: Create a Group Policy Object to control Update Settings
Exercise 3: Test the Group Policy Setting
Table 1 lists virtual machines used in this lab.
Table 1. Virtual machines used in this lab
Virtual
machine Description
W10-DC Domain controller running Windows Server 2012 R2 contoso.com Active Directory (AD) domain. Also provides Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) services for the virtual machine environment.
W10-Client Windows 10 machine under the Management of the Domain Controller
W10-Edge Virtual Machine configured to provide Internet Access to the virtual machine environment.
W10-Synch Synchronization Server
The Windows Update Settings
Description Steps
Navigate to the Windows Update Settings Menu
Perform the following steps on W10-Client1 logged on as Contoso\Administrator with the password Passw0rd!:
1. Click on the Start Button 2. Click on Settings
3. Click on Update & security
4. In the UPDATE & SECURITY dialog, Click on Advanced options (you may need to scroll down the dialog to find the link)
5. Notice that the current update settings are Automatic and the Defer upgrades checkbox is currently unchecked.
Configure a Group Policy
Description Steps Configure a Group
Policy Object that will Defer Upgrades.
This will allow you to defer upgrades until the next upgrade period.
Perform the following steps on W10-DC logged on as Contoso\Administrator with the password Passw0rd!:
6. Minimize the Windows Server Manager dialog 7. Click on the Start Button
8. Type Group Policy 9. Press Enter
10. In the Group Policy Management dialog, Right Click Contoso.com under Domains
Commented [KR1]: Is there a reason for not using the Server Manager, Tools, Group Policy Management to open the Grouiip Polcy Management dialog.
Description Steps
11. Click on Create a GPO in this Domain, and Link it here
12. In Name, type WindowsUpdateSettings 13. Click OK
14. Right click WindowsUpdateSettings 15. Click Edit
16. Navigate to Computer Configuration > Policies >
Administrative Templates > Windows Components >
Windows Update
17. In the Settings Window, double click on Defer Upgrade 18. Click Enable
19. Click Apply 20. Click OK
21. Close the Group Policy Management Editor
Test the Group Policy Setting
Description Steps
Test the Group Policy that was just created.
Perform the following steps on W10-Client logged on as Contoso\Administrator with the password Passw0rd!:
22. Click on the Start Button 23. Type CMD
24. Click on Command Prompt
25. Type gpupdate /force and wait for the update to complete
26. Click on the Start Button 27. Click Power
28. Click Restart
29. Log on as Contoso\Administrator with the password Passw0rd!
30. Click on the Start Button 31. Click on Settings
32. Click on Update & security 33. Click on Advanced Settings
34. Notice that the Defer Upgrades option is greyed out. Commented [KR2]: I got this to show but only after the reboot - it took a while to show though - I have no explaination for it.
Perhaps add a note that it may take some time for the display to refresh.
Information in this document, including URLs and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites.
Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Copyright © 2015 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, SQL Server, Excel, Office Professional Plus, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.