Windows Updates with Deep Freeze - Best Practice
Posted by Adam Zilliax, Last modified by Adam Zilliax on 23 May 2017 02:15 PM
This document will detail the suggested best practices for the running of Windows Updates on a workstation protected by Deep Freeze Enterprise. Deep Freeze Standard does not include the options needed to automate the Windows Update process unless used in conjunction with the Deep Freeze Cloud Connector.
Faronics Deep Freeze includes the ability to automate the process of applying updates to protected workstations through the use of a scheduled maintenance period on the client workstations. This will automatically boot the computer into a non-protected (Thawed) state and begin the process of downloading the applicable updates to the client workstations at a time designated by the administrator of the systems. To ensure that updates are delivered in a timely manner there are a number of options that Faronics recommends be configured on the client systems.
The maintenance events should be configured for a timeframe where the workstations are expected to be online, but not required by the users. The table below lists the recommended settings for running Windows Updates;
Note – for 1:1 deployments or situations where a system may not be online when the scheduled maintenance is required administrators will need to either arrange for a time when the machines can be brought online, either by the end user or administrative staff, for purposes of applying updates.
Faronics recommends that customers install updates on a frequency that fits with their patch management processes and any regulatory requirements that they may be subject to. In the event that these criteria do not exist we suggest configuring so that updates be deployed in two stages with one smaller group of machines receiving updates immediately once they are approved, and a second group of the remaining machines having updates installed after they have been in place on the first group of machines without issue for a period of time. This allows the smaller group of machines to provide advance warning of any problems with the update process without putting an entire enterprise at risk of issues due to problems with a bad update.
Deep Freeze incorporates a number of Windows Update specific settings on the Windows Update screen of the Deep Freeze Configuration Administrator and the Windows Update page of the Deep Freeze settings in the Deep Freeze Cloud Policy. These settings are listed below along with our recommendations.
Delay Frozen reboot to complete Windows Updates option.
Windows Software Update Services
WSUS is a component of the Windows Server operating system that can be added to an existing server through the Add Roles / Features wizard in the Server Manager on Server 2008 or Server 2012. When updates are downloaded through the Microsoft Update Service Deep Freeze will only install updates that have been marked as Critical or Security updates. When using a WSUS server a greater degree of control over the updates and how they are provisioned can be exercised as updates can be approved or withheld on machines according to the wishes of the systems administrators.
Windows 10 Specific Concerns
Windows 10 has greatly reduced the number of options that administrators have for the application of updates to the client workstations in some editions of Windows. Deep Freeze will still function and control the update process on the client workstations however Windows 10 may change the type of updates delivered to the client workstations depending on what version of Windows is installed and if the administrators are using a WSUS server. Customers who wish to maintain control of the update process should investigate using the Long Term Service (LTS) branch of Windows 10 Enterprise and a WSUS server in their environment.
Customers should consider selecting the option to Defer Upgrades in the Windows 10 Update settings if they are running the Professional or Enterprise versions of Windows as this will prevent the installation of feature upgrades from happening automatically. However, this will require manual intervention at some point as Microsoft will stop pushing updates to older editions of Windows until the upgrades are installed.
Updates using 3rd party tools.
For customers who are using 3rd party tools to manage updates care should be taken to ensure that updates can be scheduled during a time when Deep Freeze is thawed to prevent conflicts. Due to the nature of Deep Freeze it is not recommended that more than one application attempt to control the update process. If a 3rd party platform is to be used Administrators should ensure that the thawed period is long enough to ensure that all the tasks that need to be executed (including any required reboots) can be executed without being interrupted by the computer returning to a frozen state.