Patch Management and Windows as a service

Term	Definition
Windows Update for Business	From Microsoft: "Windows Update for Business is a collection of policy settings that control updates for devices that use Windows." Using Datto RMM Patch Management involves using these settings. Refer to this Microsoft Support article.
Quality Update	This is analogous to an old-style KB update or an update on Update Tuesday. It is an update which requires rebooting the computer and which carries a number of small, quality-of-life improvements and security fixes. Older operating systems received lots of smaller updates, while Windows as a service receives cumulative update rollups which contain all of the smaller updates in a single unit.
Feature Update	This is analogous to a Service Pack (but it is not a Feature Pack). A Feature Update upgrades the Windows version, adding new features, interface changes and (often) new management considerations. Feature Updates can come either as entirely new operating systems or as smaller enablement packages.
Driver Update	These remain more or less as they always were. They are small bundles of software drivers installed as demanded by the system in response to hardware requirements.
Security Update	Security Updates are bundles of security-related patches released a few weeks before a Quality Update. Administrators who opt out of installing them will see the same patches included in that month’s Quality Update.
Update Rollup	Refer to Quality Update; the modern term for an update rollup is a cumulative update, where multiple smaller updates are dynamically added on a per-device basis to a single larger update that is installed by the system in its entirety, removing user control over individual updates to simplify compliance.
Branch/Channel	Branches or Channels were used in earlier versions of the Windows as a service methodology to determine how often devices received updates. This practice has since been discontinued, with branches now being used to determine a system’s eligibility for beta and preview updates.
Defer	The term Microsoft use to delay the checking for and installation of Windows updates. The amount of time one can defer updates for depends on the version of Windows the device is running. Updates will not show up in patch scans if they have been deferred until the deferral time has passed. If three updates are released in a month, users will receive three update notifications but they will do so once each patch's individual deferral period has expired.
Patch	A dated term used to refer to a Windows update. Microsoft prefers the term update.

Windows receives multiple forms of updates, the most notable being Quality Updates and Feature Updates. The former is an umbrella term used to encompass updates for security and performance, while the latter refers to larger updates which upgrade Windows to an entirely new version.

Windows Feature Updates that are leveraged via an enablement package and that are installed over at least Windows 10 version 2004 can generally be handled via Patch Management; however, using this method offers reduced user control over timing. As such, Datto supply ComStore components which can be leveraged to perform a Windows update at a specific time and, if necessary, using a disc image supplied by the administrator.

Read on for an overview of these components.

Requirements

• For either solution, at least 20 GB of storage space on the home drive and 1 GB of RAM (2 GB for x64) is required on the target device.
• For the Windows 10/11: Upgrade via ISO component, connectivity to https://storage.centrastage.net is required if you are downloading an image from Datto.

Windows 10/11: Upgrade or update to latest Feature Release

The Upgrade or update to latest Feature Release components work by downloading the latest version of Windows 10 directly from Microsoft for the specified endpoints. Details, such as OS language, architecture, and edition are preserved across the update process. Windows Workstation operating systems from Windows 7 SP1 can use this component to update to the latest build of Windows 10 automatically.

The strength of this component is its simplicity and lack of prerequisites. Provided the target device is capable of upgrading its Windows edition (it has a valid Windows license, a compatible edition, and enough storage space, as examples), the upgrade process will proceed without the administrator needing to provide any additional detail.

The weakness of this component is its lack of support for Educational editions of Windows, or Windows 10 Pro for Workstations. Furthermore, as the component uses Microsoft tools to download Windows 10, it will always download the latest version. Please note that there is no support for downloading the penultimate edition of Windows 10 from Microsoft.

NOTE  Windows Server operating systems are not supported.

NOTE  Windows 7 SP1 Enterprise cannot be updated using this component. Devices running Windows 7 SP1 Enterprise will need to use the Windows 10: Upgrade via ISO component detailed next.

Windows 10/11: Upgrade via ISO

The Upgrade via ISO components work by downloading a disc image from a defined network location, extracting it, and running the setup executable silently. This is a more manual approach that relies on the presence of a disc image, but this freedom allows the administrator to specify exactly which version of Windows 10/11 to upgrade the device to, in ways that extend beyond the reach of the previous component.

As a courtesy, Datto provides Windows 10 Professional ISOs for the previous two versions, that is, the last two versions before the very latest, in both British and International English, for both architectures. The component can be configured to download the relevant ISO directly from Datto's servers and install from it (language and architecture will be intuited automatically). Alternatively, a network location can be given to a Windows 10 disc image stored elsewhere, perhaps internally.

Due to Windows 11’s annual release cadence, this feature is not supplied for Windows 11 at this time.

NOTE  Due to legal reasons, Datto is prohibited from serving non-Professional versions of Windows 10 (Enterprise, Education, etc.).

If the disc images served by Datto are not applicable to your deployment, the script can be given a path to a Windows ISO stored on a network share, which it will then attempt to download and work from. Once the image has been downloaded, it will be processed in the same manner as a disc image downloaded from Datto would be. This is necessary for users wishing to upgrade non-English installations of Windows and/or installations of editions not supported by either component natively.

Windows 11 ISOs can be obtained in the required language and edition by accessing this Microsoft site. Follow the instructions headed Download Windows 11 Disk Image (ISO) until the Download button reads 64-bit Download. The ISO can either be downloaded from here or the link can be copied and pasted into the component’s image path field.

NOTE  If you are placing a Windows ISO on a network share, the LocalSystem user must be able to read files in that location. Datto RMM components run as quick jobs execute as NT AUTHORITY\SYSTEM, which needs to be able to access the file remotely.

Other use cases

For more information on upgrading from Windows 7 to Windows 10 and the various considerations that must be made, please refer to Windows 7 to Windows 10 in-place upgrade by component. Here you will also find information on updating to Windows 10 by way of creating segmented ISO parts that are attached to components.

Generally speaking, devices running Windows 7 are not capable of upgrading to Windows 11 without hardware changes.

To switch channels, you can use Datto RMM's Windows Update policy. You can configure the policy to switch a device from Semi-Annual Channel (Targeted) to Semi-Annual Channel (Broad) and automatically defer Feature and Quality Updates. It also enables Windows Telemetry, as switching Channel requires this feature to be enabled. For more information, refer to Configure update channel.