Deep Freeze and Windows Updates
Posted by Adam Zilliax, Last modified by Adam Zilliax on 10 June 2019 08:04 AM
This document will provide details on how Deep Freeze Enterprise interacts with the Windows Update service and will provide suggestions on how best to configure the product to control the update process on client machines protected by Deep Freeze.
How Deep Freeze Handles Updates
Owing to the nature of what Deep Freeze does to machines that are protected updates must be installed on the client machine while Deep Freeze is disabled. This is best done by scheduling a specific time period where the client systems will enter into a thawed (non protected) state on an automatic basis, perform the required updates, and then return to a Frozen (protected) state when the process is completed.
When Deep Freeze is controlling the update process the general flow of operations is as shown below;
During the update process Deep Freeze interfaces with the Windows Update Service on the client machine to ensure that updates are installed and that all appropriate steps are taken to ensure that the updates are fully installed before the system returns to a protected state. Any problems with the update process that would result in failed updates are error handled and rolled back with the appropriate information retained in the Windows Update logs on the client machines.
During this process the machine will perform a number of reboots, up to a total of 5, to complete the update process. The update process can take between 15min to 6 hours depending on configuration and the size of the updates being installed on the client machine with the system returning to a frozen (protected) state when the update process is completed.
This same general process is used when performing updates through a scheduled task on the client machine, or if a task is executed on demand to run the updates on the client systems.
When Deep Freeze is configured to install through the Windows Update web service only updates categorized as Critical Updates and Security Updates are installed. This means that even after updating the client machine through Deep Freeze that some updates may still be shown as pending when checking the status of the updates through the Control Panel or the Settings application. When updating through a WSUS server all approved updates for the selected target group will be installed regardless of classification.
Deep Freeze & the Windows Update service
Deep Freeze, when installed on client machines will suppress with the Windows Update Service to ensure that updates are not being installed on the client machine while the system is in a protected sate. This prevents the client machine from wasting resources downloading and installing updates only to have them removed when the client reboots. Depending on the configuration of the systems the Windows Update Service may be suppressed when the computer enters a thawed state to ensure that the client machine does not install updates outside of the pre-configured maintenance tasks. If Deep Freeze is not configured to control the update process the Windows Update service will start when the system is thawed and may attempt to download updates immediately upon reboot.
Please note that when updating through a WSUS server that client machines may not report the update status back to the WSUS server immediately depending on the timing of the installation process.
Windows Store / Modern UI Applications
Due to the way that Deep Freeze interfaces with the Windows Update Service to suppress the installation of updates during the frozen state this also means that Windows Store based applications (Modern UI Applications) will not be able to be installed while the system is in a frozen state.
Feature Releases are installable while Deep Freeze is installed on the client machine provided version 8.56 or higher is installed.
Installation of the feature releases is possible provided that the feature release is available through the Windows Update Service or through your WSUS server. As of May 2019 Feature Releases do not appear to be available through the Windows Update web service, but can be approved and installed when working with a WSUS server.
Windows Update Logs
The activity of the update process is logged in the DFWUlogfile.log, this file is located by default in the following folders;
32 bit Windows - C:\Program Files\Faronics\Deep Freeze\Install C-0\
64bit Windows - C:\Program Files (x86)\Faronics\Deep Freeze\Install C-0\
The “Install C-0” path may in some cases show a different number or letter if your boot volume is not the C:\ partition.
A further log file exists in the %windir%\SoftwareDistribution\ folder. This log file details the status of any updates that are downloaded to the Windows Update Cache while the computer is in a frozen state. This log file is cleared on a periodic basis once the update process successfully installs the updates downloaded to the cache.
Windows Update Caching
Deep Freeze does contain the ability to provision a storage location on the local machine where updates can be downloaded while the computer is in a frozen state for installation at a later time. This configuration has the advantage of being able to spread the download out over the course of a day prior to the start of the maintenance tasks potentially speeding up the install process and reducing the time where the machines are unprotected.
This is done by reserving 10gb of disk space on the local machine. This storage location will be accessible, but hidden, as a B:\ drive on the local computer on Windows 10 machines. Operatings systems earlier than Windows 10 will still create the cache but will not create the mapping to the B:\ drive. This letter can be changed in the Deep Freeze Configuration administrator.
Allow Deep Freeze to control the update process.
Deep Freeze contains a number of pieces of logic intended to make the update process simple and safe on client machines and allowing Deep Freeze to control this process will ensure that updates are installed only at the scheduled time periods defined by administrators and that the process can be completed prior to returning the machine to a protected state.
Allow the update process to run “until finished”.
Updates can be run either on a fixed schedule, or “Until updates (are) complete”. Running on a fixed schedule, while predictable, has two distinct issues.
Running the updates “until finished” avoids both of these issues as it only leaves the machines in a thawed state long enough for the system to download, install, and complete the update process, and avoids problems with having to gracefully end the update process if it runs longer than anticipated.
Use WSUS as your update source.
Using as WSUS server allows for a larger set of updates to be installed without user intervention and provides an additional level of control over the update process.
Use Caching if the machines are on a slower connection.
If your workstations are on a slower internet connection enable the Caching feature of the update process to allow updates to be downloaded over the course of the day. This will spread out the download over the course of a day and will help prevent issues when all machines are attempting to download and install updates at the same time.