Deploying Windows 10 Branch Updates via ZENworks Patch Management

In a previous article I explained that the ZENworks Patch Management content feed includes Windows 10 reliability and security updates but not Windows 10 branch (version) updates. For example, the feed includes the reliability and security patches for Windows 10 Version 1511 and Version 1607 (the Anniversary Update), but does not include the branch update to go from Version 1511 to Version 1607.

You can, however, still use ZENworks Patch Management to deploy Windows 10 branch updates. The process includes a few additional steps on your part but allows you to automate the deployment of the branch update while using the Patched and Not Patched statuses to track which devices have the branch update applied.

The basic process is this:

1. Get the Windows 10 branch update ISO from your normal Windows OS distribution source. 2. Extract the ISO to a location (for example, a network share) that can be accessed by the

Windows 10 devices being updated. The devices need to be able to run the update executable from this location.

3. In ZENworks Control Center, create a Windows bundle that launches the update executable.4. Create a custom patch using the Windows bundle.5. Deploy the custom patch via a Patch policy or a manual remediation.

The remainder of this article shows how to use this process to update devices from Windows 10 Enterprise Version 1511 to Version 1607 (the Anniversary Update).

Getting a Windows 10 ISOYou need to download the Windows 10 ISO from a source such as the Volume Licensing Service Center, the MSDN Portal, or the Academic Products page. For example, I get my Windows 10 ISOs from my MSDN account.

Be aware that there are different ISOs for different editions (Professional, Enterprise, Education, and so forth) as well as a multiple edition ISO. The multiple edition ISO doesn’t always include ALL editions; if you want to use the multiple edition, review the detail description to ensure that it includes the editions you need. And, of course, you need to get the correct ISO for the architecture (x86 and x64) and OS language of your devices.

For this article, I used the Windows 10 Enterprise, Version 1607 (Updated Jul 2016) (x64) - DVD (English) ISO with the following filename:

en_windows_10_enterprise_version_1607_updated_jul_2016_x64_dvd_9054264.iso

Extracting the ISO to a network locationYour Windows 10 devices need to run the update executable from somewhere on your network. In my lab environment, I chose to copy the contents of the ISO to a Win10ent_1607update_x64 folder on my

ZENworks Server and then share the folder (read access) with a local server account called WindowsUpdateAdmin.

I also defined the WindowsUpdateAdmin account credentials in the ZENworks Control Center Credentials Vault to make the credentials available to devices when installing the Version 1607 update.

My configuration worked for my lab environment. Obviously, you’ll need to find the appropriate access solutions for your lab and production environments.

Creating a Windows Bundle for the Branch UpdateIn ZENworks Control Center, you need to create a Windows bundle that launches the branch update executable from your network location.

1. Create a new Windows empty bundle:a. In the Bundles list, click New > Bundle to launch the Create New Bundle Wizard.b. For the Bundle Type, select Windows Bundle.c. For the Bundle Category, select (Empty Bundle).d. Give the bundle a name. For my bundle I used Win10ent 1607 Update - x64.e. Select the Create as Sandbox option and leave the Define Additional Properties option

selected so that the bundle is created as a sandbox version with the bundle properties

displayed.

2. Add an Install - Launch Executable action:a. In the Actions tab, click the Install tab.b. Click Add > Launch Executable to display the Add Action – Launch Executable dialog box.

c. In the Command field, add the UNC path to the branch update setup.exe file. For example, \\win2012server\win10ent_1607update_x64\setup.exe.

d. In the Command Line Parameters field, add the following: /auto upgrade /quiet.These parameters force the setup program into silent upgrade mode.

e. In the Working Directory field, add the UNC path to the setup.exe directory. For example, \\win2012server\win10ent_1607update_x64.

The configuration for my bundle looked like this:

f. Click the Advanced tab.

g. Select the When action is complete option.h. Select the Run as dynamic administrator option, then select the credential you added to

the Credential Vault to provide access to the setup.exe. In my case, this was the

WindowsUpdateAdmin credential.

i. Click OK to add the Launch Executable action.j. Click Apply to save the action. Your bundle should now look similar to the following

screenshot.

k. Click the Requirements tab, add the requirements that the device must meet in order for the branch update bundle to apply, then click Apply to save the requirements.In my case, I wanted the branch update to be applied to 64-bit Windows 10 machines running the Enterprise version of the original Windows 10 release (build 10240) or the 1511 release (build 10586). I used the Registry Key Value condition to check that the

CurrentBuild value (String Type) of the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion key was either 10240 or 10586 and that the EditionID value (String Type) was Enterprise.

l. Click Publish to publish the bundle.

At this point, you could simply assign the bundle to the Windows 10 devices you want to update. After refreshing and getting the bundle assignment, all devices that meet the defined requirements would launch the setup program and install the branch update.

However, if you include the bundle in a patch (as explained in the next sections), you can use Patch Management to track which Windows 10 devices have the update applied and which ones do not.

Creating a Custom PatchYou now need to create a custom patch for the Windows bundle containing the branch update. Using a patch to distribute the branch update bundle allows you to use Patch Management to track which devices have the patch applied and which ones do not.

1. In ZENworks Control Center, click Patch Management.2. Click the Patches tab.

3. In the Patches list, click New to launch the Patch wizard.4. In the Name field, select the Windows bundle you created for the branch update.

5. Select the Impact level for the patch, specify a Vendor name, and select Requires Reboot.

6. Finish creating the patch.

Deploying the PatchYou can deploy the patch via a manual remediation or a Patch policy.

Manual Remediation1. In ZENworks Control Center, click Patch Management.

2. Click the Patches tab.

3. In the Patches list, select the check box in front of the update (Win10ent 1607 Update – x64 in the above example), then click Action > Deploy Remediation.

4. Select the devices to which you want to deploy the update (by default, all applicable devices that don’t have the update installed are selected), then complete the wizard.While completing the wizard, you can schedule the update to be installed immediately or at a later date.

Patch Policy1. In ZENworks Control Center, click Patch Management.2. Click the Patch Policies tab.3. In the Patch Policies list, click New to display the Create New Patch Policy wizard.4. Specify a Patch Policy name. For my Patch policy I used Windows 10 1607 Update.

I left Enterprise out of the title so that I could also use the policy to deliver branch updates for other Windows 10 editions, such as Professional. Because the bundle system requirements control which devices an update is applied to, I can have the policy include multiple patches, such as one for Enterprise devices and one for Professional devices or even one for 32-bit devices and another for 64-bit devices.

5. Do not add any Patch policy rules.

6. Complete the wizard, selecting the Define Additional Properties option so that the Patch policy is displayed after it is created.

7. Click the Members tab, then click Add to add the patch you created for the branch update. In my case, this is the Win10 1607 Update – x64 patch.

8. Click the Relationships tab and assign policy to Windows 10 devices.I assigned the policy to the Windows 10 dynamic group. This assigned the policy to all Windows devices. However, because the bundle requirements specify that the operating system must be Windows 10 Enterprise x64 build versions 10240 or 10586, the update is applied only to those Windows 10 devices that meet the requirements.

9. Click Publish to publish the policy.Devices will receive the policy and apply the update based on the Patch policy schedule configured for your zone.