Windows Updates with Deep Freeze - Best Practice
Posted by Adam Zilliax, Last modified by Adam Zilliax on 23 May 2017 02:15 PM

This document will detail the suggested best practices for the running of Windows Updates on a workstation protected by Deep Freeze Enterprise. Deep Freeze Standard does not include the options needed to automate the Windows Update process unless used in conjunction with the Deep Freeze Cloud Connector.

 

Faronics Deep Freeze includes the ability to automate the process of applying updates to protected workstations through the use of a scheduled maintenance period on the client workstations. This will automatically boot the computer into a non-protected (Thawed) state and begin the process of downloading the applicable updates to the client workstations at a time designated by the administrator of the systems. To ensure that updates are delivered in a timely manner there are a number of options that Faronics recommends be configured on the client systems.


Deep Freeze handles the process of installing updates to Windows by interfacing with the Windows Update API during a scheduled maintenance period. This scheduled maintenance period will disable Deep Freeze automatically and install and applicable updates on the client computers. The scheduled maintenance tasks are configured in different locations depending on the version of Deep Freeze that you are using;

 

  • Deep Freeze Enterprise – In the Deep Freeze Configuration Administrator on the Workstation Tasks page.
  • In Deep Freeze Cloud – In the Deep Freeze page of the policy settings for your workstation under the Workstation Tasks page.
  • Deep Freeze Standard with Cloud Connector – In the Deep Freeze page of the policy settings for your workstation under the Workstation Tasks page.

 

The maintenance events should be configured for a timeframe where the workstations are expected to be online, but not required by the users. The table below lists the recommended settings for running Windows Updates;

 

Setting

Recommended Value

Note

Maintenance Start Time

Administrator Configured

 

Maintenance End Time.

When Windows Update Completes

This allows the updates to be installed but will limit the time where the computer is not protected.   If

other tasks need to be run administrators should ensure the Windows Update task runs last so it does not interfere with other tasks if it runs long.

 

Note, there is a six hour timeout on this setting in the event that problems are encountered with the Windows Update Process.

Allow user to cancel task

Disabled

Should only be enabled if there is a reasonable chance that the user will be working on the computer at the time when updates would normally occur.

Shutdown after task

Disabled.

Shutting down after the maintenance task will prevent other maintenance tasks from occurring, only enable if this is the last event for the workstation.

Disable keyboard and mouse

Enabled

This setting will prevent users from accessing the computer while it is not protected.

Show Message for

3 min

This setting defines when the system will notify the user of a maintenance event.

 

Please note that the message will be shown at the scheduled maintenance time and the computer will then reboot into a thawed state after this time period. As such the computer will not enter a thawed state until 3 min past the start time. Setting a long warning time may delay the start of the maintenance period in a undesired manner.

 

 

Note – for 1:1 deployments or situations where a system may not be online when the scheduled maintenance is required administrators will need to either arrange for a time when the machines can be brought online, either by the end user or administrative staff, for purposes of applying updates.

 

Update Frequency

Faronics recommends that customers install updates on a frequency that fits with their patch management processes and any regulatory requirements that they may be subject to. In the event that these criteria do not exist we suggest configuring so that updates be deployed in two stages with one smaller group of machines receiving updates immediately once they are approved, and a second group of the remaining machines having updates installed after they have been in place on the first group of machines without issue for a period of time. This allows the smaller group of machines to provide advance warning of any problems with the update process without putting an entire enterprise at risk of issues due to problems with a bad update.

 

Advanced Settings

Deep Freeze incorporates a number of Windows Update specific settings on the Windows Update screen of the Deep Freeze Configuration Administrator and the Windows Update page of the Deep Freeze settings in the Deep Freeze Cloud Policy. These settings are listed below along with our recommendations.

 

Setting

Recommended Value

Note

Allow Deep Freeze to choose how Windows Updates are downloaded.

Enabled (Checked)

Checking this option will allow Deep Freeze to control the process of downloading the updates on the client machine. Depending on the configuration of the update caching we may either suppress the download entirely while frozen or allow updates to be downloaded but not installed until the compute enters a maintenance window.

 

Not selecting this option will leave whatever settings have been configured on the system in effect and may result in updates being installed at undesirable times, or other issues.

When selected this option will suppress the Windows Update Service, and in some version the BITS services on the client machine. More information on this behaviour can be found here.

Do not Cache Windows Updates / Cache Windows Updates

Cache Windows Updates

Caching the updates allows Deep Freeze to create a container to download updates to while frozen. This allows the download to be spread out during the course of the day shortening the time that it will take to install updates as they do not have to be downloaded when the computers enter the maintenance window.

Retrieve Windows Updates From

Windows Server Update Services (WSUS)

Faronics recommends where possible that users look into the use of a WSUS server as it provides greater control over the update process than can be found when downloading the updates from the Windows Update Service hosted by Microsoft.

Delay Frozen reboot to complete Windows Updates option.

The updated versions of Deep Freeze (8.35 and higher) incorporate a option that allows the software to perform additional reboots to clear out any pending updates when a computer is attempting to transition between a Tahwed and a Frozen state. This option is intended to prevent systems getting stuck in a reboot loop attempting to apply updates. When enabled Deep Freeze will perform up to six reboots to attempt to clear any pending updates on the client systems before the system will enter a Frozen state.

Faronics recommends that this option remain enabled.

 

Windows Software Update Services

WSUS is a component of the Windows Server operating system that can be added to an existing server through the Add Roles / Features wizard in the Server Manager on Server 2008 or Server 2012. When updates are downloaded through the Microsoft Update Service Deep Freeze will only install updates that have been marked as Critical or Security updates. When using a WSUS server a greater degree of control over the updates and how they are provisioned can be exercised as updates can be approved or withheld on machines according to the wishes of the systems administrators.

 

Windows 10 Specific Concerns

Windows 10 has greatly reduced the number of options that administrators have for the application of updates to the client workstations in some editions of Windows. Deep Freeze will still function and control the update process on the client workstations however Windows 10 may change the type of updates delivered to the client workstations depending on what version of Windows is installed and if the administrators are using a WSUS server. Customers who wish to maintain control of the update process should investigate using the Long Term Service (LTS) branch of Windows 10 Enterprise and a WSUS server in their environment.

 

Customers should consider selecting the option to Defer Upgrades in the Windows 10 Update settings if they are running the Professional or Enterprise versions of Windows as this will prevent the installation of feature upgrades from happening automatically. However, this will require manual intervention at some point as Microsoft will stop pushing updates to older editions of Windows until the upgrades are installed.

 

Updates using 3rd party tools.

For customers who are using 3rd party tools to manage updates care should be taken to ensure that updates can be scheduled during a time when Deep Freeze is thawed to prevent conflicts. Due to the nature of Deep Freeze it is not recommended that more than one application attempt to control the update process. If a 3rd party platform is to be used Administrators should ensure that the thawed period is long enough to ensure that all the tasks that need to be executed (including any required reboots) can be executed without being interrupted by the computer returning to a frozen state.


(34 vote(s))
Helpful
Not helpful

Comments (0)