Patch Management Group

Does anyone know if Symantec can or will be using Windows Update for Business?

We have been reviewing what Windows 10 updates are available in 7.6 for Windows 10 Enterprise and we have only seen the Cummulative Updates.  We do not see the November Feature upgrade to 1511.

Are we missing something?  Will the Patch Management Suite support the upgrading of the OS through this method or will we be required to deliver this with Software Delivery?

Below for reference is a link to the Microsoft description and details about Windows Update for Business plus an excerpt from this link below. 

https://technet.microsoft.com/en-us/library/mt622730(v=vs.85).aspx

OS upgrades and updates

In Windows 10, Windows Update for Business recognizes three deployment categories that clients receive from Windows Update:

• Upgrades

  • Examples: Windows 10 (Build 10240) to Windows 10, Version 1511; CBB 1 to CBB 2

    Note  

    In the Windows 10 servicing model, new CBBs will be declared 2-3 times per year.

     

• Updates

  • General OS updates, typically released the second Tuesday of each month. These include Security, Critical, and Driver updates.

• Other/non-deferrable

  • Definition updates (these cannot be deferred)

I am also very curious about how Symantec will be handling these upgrade branches.

I am in a meeting all week to discuss how we could go to Windows 10. I too only see the cumulative updates and do not know how we will deploy say feature upgrades. I am hoping Altiris will do this too as if it cant, what is the point of having a support app where you have to use some other method for Upgrades then can use Patch Management to apply cumulative updates.

not sure if this directs you but I put a ticket into Symantec HD and got this back..

Part of Email

At this time Windows 10 Feature Packs are not supported by Patch Management due to the delivery and installation methods. This document goes into detail on this issue:  https://support.symantec.com/en_US/article.INFO3298.html?

Then said there is a work around.. but read fine print..

https://support.symantec.com/en_US/article.INFO3298.html

While it is possible to deploy these updates via Software Delivery Solution, it may void the support agreement with Microsoft, and that will need to be reviewed with their EULA. 

so then link given..

https://support.symantec.com/en_US/article.HOWTO124389.html?

now this article provides information on "how" but you are not directed to where to get the files from.

I was told..

You would need to download the packages from Microsoft. As these updates are not supported as part of Patch Management, we do not have the download links for them.   

You may wish to find out if WSUS can do this or not, because if it can, then this may sway Symantec's current mindset on this topic. 

I sure hope Symantec is working hard on finding a solution to this universal IT dilemma.  The Windows 10 support model requires you keep up to date with the Windows build releases and those releases will be coming frequently enough to warrant some serious automation that doesn't require custom package creation.  We should be able to stage and deploy these updates just like any other Windows update in patch management solution.  

Microsoft states that build updates on the Current Branch for Business (CBB) track can be done by Windows Update, WSUS, SCCM, or 3rd Party configuration management tools so it doesn't appear they are intending to prevent tools like Altiris (ITMS) from deploying these updates.  Read more about maintaining Windows 10 here: https://technet.microsoft.com/en-us/library/mt598226(v=vs.85).aspx

Until Symantec gets these build updates working within the patch management solution (where they belong), they should publish an official recommendation for how they can be done in the existing versions of their product.  At first glance, the above referenced article (INFO3298) appears to do this but actually refers admins to a How To article (HOWTO124389) which explains how to do an in-place upgrade from a previous OS (Windows 8) using the files from a Win 10 DVD.  This is an entirely different task from maintaining Windows 10 build releases. The vague statement about voiding MS support agreements is not helpful either.   

well my boss said if Symantec cant figure this out and if we cant get funding for LTSB...were going to look at sccm... it is what it is.... better brush up my resume as I know zilch bout sccm... 

Any updates on this?  I am interested as well.  If Symantec isn't able to figure this out, we'll probably be rolling out win10 with another deployment & patch solution.  Does WSUS cover it?

two pieces I was told by our rep...

1.

I circled back with our team for some guidance, and they were able to share the following with me.

My team has told me that the Feature Release updates that are referred to here are really like updates to the OS itself as opposed to security updates. Windows 10 is the first version of Windows that has exhibited this behavior.  The Patch Management System currently doesn't handle these, since they are not an OS or Application Security update.  We are working ways to make this part of the Patch Manaement tool directly.

They have shared with me a workaround which involves you pulling down the .iso for the feature update and pulling out the files and delivering them via software management.  See the link from Microsoft which provides more details on how to accomplish this

https://www.microsoft.com/en-us/software-download/windows10  

2. Yes. We are working on a supported way for this. Timeframe and exact solution is TBD but this is something we are working on.

has anyone found documentation on how Shavlik is dealing with Win10 for business?  I'd expect Symantec to be able to support what Shavlik makes available to them.  Maybe Shavlik isn't licensing that secret sauce out to other patch tools?

We are also holding our breath on this one.  I would also like to point out another thing worth considering in addition to the Feature Updates.

WSUS and Windows Update are able to deliver driver updates to Windows 10.  This is a huge advantage over just patching that we need to consider.  With many of the early devices we ran Windows 10 on, the stability of these devices was attained by using Windows Update to put these drivers on.  I read a stat somewhere that said 70-80% of the content delivered through Windows Update was drivers.

As for switching to SCCM, my understanding is that SCCM does not have Software Catalog functionality.  There are many features within Symantec that I believe we would all miss.  BUT it is definitely something to consider

If I'm reading this thread right, the question is when/if Symantec will support the push of (feature) Win10 upgrades like from win10 to win10 build 1511, right?

It looks like WSUS is able to push

http://windowsitpro.com/windows-10/windows-10-1511-upgrade-now-wsus

I'm less concerned about driver updates.  We lay down correct drivers at image time and I'd rather not mess with them.  I suppose it's possible that one of thes win10 feature builds may require updated drivers though if something starts misbehaving.

This is the answer I got from support "We do offer patching for windows 10 for security updates we do not offer nor will offer feature packs that are not classified as security updates."

Am I not reading the microsoft documentation correct that if we don't stay within 2 versions of the latest CBB (which Symantec support is telling me we can't support through patch), that we will no longer be eligible for security updates?  Doesn't that really make these feature updates security related?

" Unlike previous versions of Windows, the servicing lifetime of Current Branch or Current Branch for Business is finite. You must install new feature upgrades on machines running these branches in order to continue receiving monthly security updates."   https://technet.microsoft.com/en-us/library/mt574263(v=vs.85).aspx

here's another technet article I found

" Microsoft designed Windows 10 servicing lifetime policies so that CBBs will receive servicing updates for approximately twice as many months as CBs. This enables two CBBs to receive servicing support at the same time, which provides businesses with more flexibility when deploying new feature upgrades. That said, it is important to note that Microsoft will not produce servicing updates for a feature upgrade after its corresponding CBB reaches the end of its servicing lifetime. This means that feature upgrade deployments cannot be extended indefinitely and IT administrators should ensure that they deploy newer feature upgrades onto devices before CBBs end."  https://technet.microsoft.com/en-us/library/mt598226(v=vs.85).aspx#deferred_upgrade_CBB

When I pressed Symantec then they said cumulative updates are supported including 1511...  not matching what original poster posted.  I'll have to see if I can still get the original version via MS downloads and put the agent on it to see if 1511 is available.

Please help me understand the current concerns, for my perspective of how Patch Management Solution manages Cumulative Software Updates for Windows 10 being outlined on INFO3207, and with INFO3298 detailing that the Windows 10 Feature Packs are unable to be managed in Patch Management Solution due to the delivery & installation methods from Microsoft at this time, but with the workaround to deploy Feature Packs utilizing Software Management Solution on HOWTO124389, it appears these concerns are addressed. 

Windows 10 Cumulative Software Updates are deployed via Patch Management, and the Feature Packs are deployed via Software Management, so the ability to deploy both is already present in ITMS for the environment. Additionally, I see CSWU-021 is present in the PRC and houses KB3140743; Cumulative Update for Windows 10 - 1511.

Moving forward; if there are concerns of whether or not an update is present; review the processes outlined on TECH198736. Additionally, you may always escalate a review case for adding any Software Update to the Patch Backline Team, and they will advise on if the update can be managed or why there are limitations that require a workaround similar to that in the HOWTO above.

Please review these articles and let me know what further concerns remain and I will be happy to follow up on them.

Thank you

Hey Joshua,

Thanks for responding, as always.  I'm sure this is all obvious to you, but the new Win10 terms, tracks, and flowcharts are new to me and anything but clear compared to how easy it was to manage win7 patching.  The confusing part for me is exactly what updates are considered cumulative vs feature and what exactly needs to be installed to stay current with the CBB branch and continue to receive security updates.

It seems like going from original win10 release to win10 1511 is a feature update and thus not supported by patch, correct?  If that's true, it seems unfortunate as WSUS and Shavlik protect are supporting this feature update/upgrade.  

"Unlike previous versions of Windows, the servicing lifetime of Current Branch or Current Branch for Business is finite. You must install new feature upgrades on machines running these branches in order to continue receiving monthly security updates."   https://technet.microsoft.com/en-us/library/mt574263(v=vs.85).aspx

I have a test Win10 VM I set up (original release) with GPO set to defer updates.  Via patch, I installed the latest cumulative update, CSWU-022, and remain at original windows 10 release (winver reports build 10240).  So if I'm understanding you and how Microsoft CBB works, I will only continue to receive security updates on this original release win10 VM until the next 'feature' release after 1511 (they only support current release and one back for security updates, right?).  

If all that is correct, the only way I will continue to receive security updates (with Symantec) is to push out 'feature' updates via software management solution.  To me - that makes those feature updates actually very much 'security' updates.

We push Java via symantec's software management because we use custom deployment files not easily supported by patch - and it's very much less than ideal compared to the other apps we update via patch.  I can't imagine trying to realistically use it for these very large feature updates and would likely look for another solution instead.

I hope I'm misunderstanding and you'll tell me where I'm wrong because I've been so happy with Patch thus far, I don't really want to think about moving elsewhere.

Thanks!

Thanks to everyone who has added their comments throughtout this thread.  I started this thread to raise awareness of the limitations I saw and am glad that others concur.  As Sally has pointed out, WSUS and Shavlik seem to be capable of handling the feature updates, and in WSUS's case also the driver updates.  We are all very interested in improvements to what we consider a very good patch systems as it stands, but with the challenges outlined, we have internal pressures to consider alternative solutions or even go completely off the reservation and do things like kicking off a task for a machine to talk to a WSUS server to get the added drivers and feature update benefits. (just throwing a crazy thought out there)  

Since we have been working with Windows 10 from about May 2015, we have seen many challenges with drivers for new and older devices.  Many weird and head scratching problems were ultimately resolved by just going to Windows Update to resolve.  We pushed hard to get our ITMS to version 7.6 to support Windows 10 and for the most part, that has been positive.  It also resolved many other 7.5 interface issues, introduced agent health, so it wasn't just for Windows 10 compatibility that we went through that effort.

What we really want to hear from Symantec is that ongoing improvements in the more challenging areas are put into the product.  We want a compelling story that keeps this product in our enviornment.  There is a huge effort in going through all the effort of replacing a product like this and we certainly don't want to keep adding in point solutions to solve problems this system could take care of.  There is plenty of pressure to go SCCM but we all know that in heterogeneous environments that need to support Mac, Linux, and that would be a shame.

We will be taking a serious look at version 8.0 but if some of the concerns here are not at least put on the roadmap for 8, we may be in a totally different position where we re-evaluate where we stand.

Thanks.

Joshua,

Any update on this?  Support is telling me that the update to 1511 is cumulative and is supported via patch, but when I take an original build machine and run all available win10 updates via Patch Management (CSWU-022) on it, it doesn't update to 1511.  

I am happy to hear if this is a bug that will be resolved - what I don't want is to be pushed to software delivery because it's just not nearly as reliable nor smooth for the user.  

Thanks, as always.

I am uncertain what you are requesting here on Connect, for I am unaware of any rule review for CSWU-022.

If you can confirm that client shows it requires the updates from CSWU-022, e.g. Windows Updates, then we will need to review this on a case with the data pulled from HOWTO60789.

If you have a case designated for the review of the rule for this update; PM me the number and I will be happy to review it.

Were you ever able to upgrade a win10 machine to 1511 with patch?  Support is telling me it's not feature update, it's cumulative and should work.  I can't get it to work in my testing, but I wonder if I'm not being offered it since my win10 install isn't 31 days old yet.  They are closing out the ticket since Windows isn't offering me the update, either, so hoping someone else here can chime in if Patch successfully is updating clients to 1511.  Otherwise, I have to wait a few more weeks I guess to test the theory.

from what I am seeing on microsofts website they say you pull down the tool to download the iso. then you extract the feature from that and deploy it as a SWD. For us that will not fly. We are trying to head down the LTSB path which will give cumulative updates only... but also takes edge away and more which is good for us too.

just the cost is what is holding everything up...

Sally, as I understand this so far, 1511 is a feature update so it is not done through patch.  The SWD method appears to be the only method other than also connecting the device to WSUS or Windows Update. 

In our testing, we have consistently refreshing until we were at 1511 so all test machines and the few production devices are 1511.  The next release for us will be the one of concern.  (so far, I would not leave anything previous to 1511 as there was so much that was stablized) 

Well, Symantec support has said in response to my ticket that 1511 is a cumulative update, not a feature update and is supported via patch.  I suppose I will have to wait until my VM is 31 days old to test.  

Symantec won't work with me until Microsoft shows it as an available update, and from what I read, MS won't show as available until it's 31 days old.

Sally,

    Did they say what cumulative update it is then? I will give a test at it.

I have a CB vm and CB physical box to upgrade plus a LTSB to do....

gonna hammer em all with all patches at once... hopefully tomorrow.

any luck? 

well no... the cswu only has patches not the feature set. Still need that. 

Also learned that the CSWU-022 (latest at this time) is the only one needed. It includes ALL from CSWU-001 - CSWU-022. Next month I will disable CSWU-022 and unable CSWU-023.

The question for me is still does it upgrade the original Win10 install to WIn10 build 1511?

Support tells me it should, that it is part of a cum update and not a feature update.  My VM will be 31 days old next week I think so I can test then.

I put in a 2nd ticket with support.  I proved that my VM, once 30 days old, did prompt from MS to install 1511, but Symantec patch management isn't offering the update anywhere that I can see.

I am hoping that support will tell me since 1511 just went CBB last week, that it will be supported shortly in patch.  If Symantec is not going to support these build version updates (managed software policies is not an acceptable answer), I need to know to start looking more seriously at Shavlik protect which is promising support for feature/build updates. 

On my original ticket, support assured me build updates are supported as cumulative updates and not feature updates, Microsoft sure makes it seem like in the link above that 1511 is a feature update.  However, Symantec shouldn't take the stance that it's not a security update, so we're not going to support it, as Microsoft has said they will only support 2 build versions.  When the next build comes out, they will drop support for original build 1507 and only support 1511 and new build for SECURITY updates.  To me, that makes these feature updates, security updates by default.

Review November Feature upgrade 1511 and confirmed it is an .iso file, and is therefore not supported by Patch Management Solution; however, it is able to be deployed via Software Management per the workaround outlined on HOWTO124389.

This is due to the limitations of delivery and implementation methods utilized by Microsoft, and is not something that can be modified in the current code of Patch Management 7.5 through 8.0 as outlined in INFO3298.

It seems the most reliable option for now is to develop a solution to support LTSB in your organizations so there can be more control over how updates are brought down to the endpoints. I know there are cost concerns for some, but another cost would be incurred moving to another client management solution along with all of the time associated to start over. We're a bank so there's no way we would be able to have such a dynamically changing environment with the way Windows 10 (non-LTSB) updates are handled. Maybe thin clients could be looked at, but those have their own challenges and aren't a panacea by any means.

Also, we're starting to deploy Surface Pro 4 tablets so no downgrading the OS. We developed LTSB for those, too. It looks to work well so far.

well LTSB is an expensive option for us. The method of pulling from the ISO and deploying via swd maybe a possibility. I am going to test this out myself to see. 

we have a 3rd party provider that supports our server infrastructure and our "Desktop" computers. They use SCCM. For us to switch to SCCM would be costly even though it is free to enterprise - would be free to them and they would charge us. 

We support our laboratory computers (4000) via Altiris and they support 36000 in SCCM... if we go SCCM it is very costly (and I maybe out of a job [:-p>  )

Other issue for us is even if we get the funding and make LTSB a standard, we still get vendor supplied pcs that come with instrumets. Some are built into the instrument and they will be any flavor of O/S thus we need to have a method of supporting those. Our model defines if it is connected to the network it gets patched. End of story so we have to figure this out...

more to come.

Jeffrey J. Riggs

Shavlik protect has said they'll support these feature updates/upgrades before the next release (Redstone, expected in June).

https://twitter.com/ChrisGoettl/status/705068861175926785

I am hopeful when this happens that Symantec has a similar support plan.  If not, we will be looking to move to Shavlik for our win10 rollout & looking for new PC management solution entirely.  

Using LTSB (meant for ATMs and such) is not an option here (no Edge, no Photo Viewer, probably other items that a production client should have).  Pushing feature updates via software deployment is not livable, either.

Agreed, feature updates via soft. deployment is not a viable option for us, either. Not entirely happy with what MS is doing. We do wish Symantec (specifically, Altiris) could keep in step with the changing landscape that Windows 10 seems to be dictating. We may end up looking at a different client managment suite, as well...and this is after many, many years of Symantec/Altiris usage and experience.

That's why, at this time, LTSB is the best option for us. No Cortana, Edge or certain Windows Store apps. In my opinion, a prod machine doesn't need them and adds to the support sprawl. We want maximum steadystate. In our case many apps still don't fully support IE11 quite yet and have ZERO designs on moving to Edge. Not many have adopted Edge...yet.

I guess it all depends on how fast we're forced to go to Windows 10 for our respective environments. We're testing, but the only machines dictated to have Win10 are our Surface 4 tabtops.

I was just sitting here thinking “What happened to Windows Embedded?”
quick google got me here..

WINDOWS EMBEDDED IS DEAD. LONG LIVE WINDOWS IOT?

http://www.logicsupply.com/explore/io-hub/windows-embedded-is-dead-long-live-windows-iot/

Then back to google and look for an actual Microsoft page… Very interesting read…

¾ way down gets very interesting.

https://www.microsoft.com/en-us/WindowsForBusiness/windows-iot

That's an intertesting link. I did not know about Windows IOT. That's the version for kiosk/ATM machines, it seems.

I agree... it is interesting. I need to download it and install into a VM to check it out..

so I did follow:

https://support.symantec.com/en_US/article.HOWTO124389.html

and was able to do a SWD of 1511...

here are my quick notes.

Installation Timeline

Altiris Job cached first part 8:43am - 9:42am. Network speeds and package server locations/performance/throttling (we are set to 20%) will affect this and you may be quicker/longer.

• 8:43am started 1511
• 9:18am 56%
• 9:42am 100%
• 9:43am - started
• 9:57am - all controls removed - install starts
• 10:22am - 22%
• 10:44am - 76%
• 11:00am - 100% OS upgraded

An hour install (not including the download) if I'm reading this right. sheesh.  That's not pretty.

so I have attached what I sent out as a screen shot oriented piece. my full documentation sent to my team. None of us are liking this...

hope i blackened out our key stuff.. but anyway not much info but something to think about...elaborating on what I posted above.

Attachment(s)

Windows10Feature1511DeployGeneric.docx   1.40 MB 1 version

Excellent document!

So, imagine you have 500 (or more) machines needing this feature stack...not fun!

So, I wonder how this would work with a PGP-encrypted endpoint? I'm going to do some testing on my end with that scenario. So far, we are only using Windows 10 on the Surface Pro 4 tablets in production. It has a funky partition layout so that's why I am wondering about the behavior of PGP and this feature update. Also of note, we've converted the Surface Pro 4 image to LTSB so essentially a total rebuild.

^^ Let us know!

Very Curios about this as well.

something else i have found in my testings... upgrading to 1511 has not been consistent. Microsoft services that we disabled were now enabled... even custom services from other apps were changed. Then a rollback kinda worked for some and even changed some of those services to something totally different!!!!!!!!!!!

this is gonna be painful as we are a company that do not have a standard image (well we do but we receive many vendor boxes too)

Windows 10 version 1511 is a feature update.  Feature updates are separate and distinct from security updates and cumulative updates in the sense that they contain new features and represent the start of a new branch.  As such, they are more akin to operating system service packs.

Microsoft does not make Windows 10 feature updates available to be directly downloaded in an automated manner, other than through Windows Update.  If not using Windows Update/WSUS, customers are requir.ed to go to Microsoft's website and build an .ISO file for Windows 10 version 1511.

Once customers download the .ISO file, the .ISO file can be distributed by the Software Management Solution, as documented in the above-referenced KB article.  Others on this thread have expressed dissatisfaction with this approach, but have not explained the reasons for same.

 The Symantec Patch Management Solution uses version 9.1 of the Shavlik SDK.  The currently shipping version of Shavlik's product (9.1) and the associated SDK do not support Windows 10 feature updates.  Shavlik is planning to add support for Windows 10 feature updates in version 9.2 of its product.  If Shavlik adds support for Windows 10 feature updates to version 9.2 of its product, it should be possible to update the Symantec Patch Management Solution to take advantage of the new capabilities.  Shavlik has indicated that they may not be able to add support for Windows 10 feature updates to versions of their product prior to 9.2 because of technical limitations.

This means that the workaround of using the Software Management Solution described in the above referenced KB article is the recommended way to install Windows 10 feature updates. 

There also seems to be a misconception regarding the implications of the Redstone (anniversary) release of Windows 10.  The original GA date for Windows 10 was July 29, 2015.  When Redstone is released, it will become the Current Branch.  It will not be the Current Branch for Business until approximately 4 months after its release.  That means that support for the original Windows 10 GA release as the Current Branch for Business will not end until approximately 4 months after the GA of the Redstone release.  Support for the original Windows 10 release will not end when Redstone is released.

I just emailed our Microsoft rep to complain about the support model for enterprise patching.  Having users sit through download and upgrading is a huge step backwards (versus silent win7 patching), even if/when Symantec+Shavlik supports it.

Your voices have been heard loud and clear. 

Symantec would like to be able to offer customers a better user experience and has taken steps to make that happen.  There is hope of some improvement on the horizon once Shavlik adds support for Windows 10 feature updates to its SDK, but it's actually Microsoft itself that is posing the bigger obstacle at this point by not permitting feature updates to be directly downloaded in an automated way by tools other than its own.

There were very few people within Microsoft who actually understood how Windows 10 updates would work up to, and even after, the initial release on July 29.  I, personally, requested information numerous times within the 6-9 months prior to the GA date and could not find anyone within Microsoft who was able to answer my questions.  I suspect that the only people who actually understood things were those on the Windows 10 product team itself.

This isn't about bashing Microsoft, but rather is intended to articulate the nature of the constraints that have resulted in the current situation and why the documented workaround is currently the best solution available.

@MG17 - agree that this is really Microsoft's issue, now that I finally understand what is going on, but also think that Symantec could do a much better job informing their support techs of what's going on.  I got very different (and sometimes just plain incorrect) info with the tickets I submitted to the patch team.

I wrote our MS rep and she assured me there will be some changes coming in the anniversary update edition (possibliy specific to education) where users will be given up to 8-9 months to be forced into the long and unfortunate upgrade process.  Even though I work for a K12, we typically run Enterprise versions of windows, so not sure how that would play into it.

I replied explaining again that forced feature upgrades whether they be after 4, 8 months or even 2 years are a major step backwards for microsoft enterprise patching.  They are moving in the direction of Apple where updates are >1GB that are difficult to support in an enterprise environment - especially when 80%+ are laptops that go home at night.

Our users don't want to be bothered with an OS upgrade or reimage mid life cycle.  They want a machine (typically with Office and a web browser) that works 24/7 without disruption.  We've been giving Apple complaints for years about their security updates being bundled into >1GB files, and are so disappointed to see Microsoft headed in this direction.  

And yes, I understand these >1GB feature updates aren't security updates, but if you are >2 versions out of sync with feature updates, you no longer get security updates is how I understand things... hence really making these feature updates security updates in the long run.

It's been a few months since the last post.  Are they any updates?

indeed it has... what were we waiting for again?

i have been doing CSWU deployments... also deployed full upgrades to 1511 and also to 1607...

in addition I have taken windows 7 pro to windows 10 enterprise upgrades...

Hi TeleFragger.

Are you deploying the upgrades via Software Management Solution as you said above? How is it going on?

In my environment we are running the same Altiris version like you (7.6 HF7) and I don't know if we will deploy these aniversary updates in our machines. The aniversary updates has security updates too? Or these updates has only new features and graphic things?

Well things are going great.. all in testing as we do not have win10 in production ( SHHHHH we do have a few )... but for now were not going to tell anyone. Vendor supplied so we have to keep testing and see what were going to do with them.

but yes using Software Management Solution it is going great. Basically I copy out the ISO but break it into 2 seperate packages. 1 for 32bit and 1 for 64bit.

That way we do not cache 64bit files to 32bit machines.... 

I haven't had a chance to test yet the latest update yet, but if you're not current with the feature updates (current update is anniversary or one back), you lose access to security updates for Win10 according to Microsoft.

From that im told is you will loose patches after "X" amount of time... you dont loose immediately. I am running Win10, Win10 1511, Win10 1607 and all are patching just fine.. same with LTSB 2015 and LTSB 2016

The latest from Microsoft is they will support releases for a minimum of 18 months.  The original win10 update (1507) will hit 18 months in Jan if my math is right.  I'll be interested to see if they cut it off then.

"Each feature update release will be supported and updated for a minimum of 18 months" from https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview

Nice graph with update dates here (I assume they're right, I didn't check) https://blog.juriba.com/windows-10-branching-timeline

Support for Windows 10 feature updates has been added to the data feed used by versions 7.6 and 8.0 of the Altiris Patch Management Solution.

Windows 10 feature updates are distributed as .ISO files, which cannot be directly downloaded from Microsoft's site.  As a result, there is an extra step required in the process to download the .ISO file and copy it to the appropriate location.

All of this information, and much more, is described in a Knowledgebase article.

Wow, wasn't expecting this news - thanks for posting @MG17!

I'm looking forward to testing it soon.  I'd love to hear feedback on how admins are scheduling / notifying users on these feature update installs.

Found a minor issue with the KB article.

In my console the name of the .iso file in the patch information did not match what is in the batch file that runs the patch.  I had to modify the batch files to match what was listed in the patch package.  My patch package listed an ENU at the end of the iso file name that the ones in this article do not.  They might want to fix the patch package or change the instructions so things match.  Once I fixed the name of the iso in the batch files to match I was able to get it to work.

May I ask what your plan is for letting users know that when the feature update installs, it'll take down their machine for ~25 minutes?  The patch deployment worked fine in my testing, but I can't see how it would work in production.

I think nagging users and having users start the install manually via software portal when they have the 24 minutes to give up makes the most sense for us.  Unfortunately the software portal is not very user friendly, we may end up having users making appointments with technicians or us tackling a department at a time.

This all assumes machines come back up as expected, too.  

^^^ 24 minutes.. thats a great time. Mine took 2hrs!!!!! (4 including caching locally)

Christina,

I was excited to see feature updates added to patch, but I don't understand how in production it makes sense. The nice thing about PM with win7 is it's all silent to the user.  Our typical workflow is I push out patches and tell users they need to shut down the computer each night for patches to install (which only takes 2-3 minutes to install for win7).  Most of our users are mobile so they are shutting down a laptop to throw in their bag to go home.  

How does Symantec really seeing users using PM to push an update that takes a machine down for 25-45 minutes?  I get that it works physically, but users will need some sort of heads up that their machine is going into an upgrade state for an extended period of time and they can't just run out the door with their laptop in their bag.

The only way I can see realistically supporting feature updates with Symantec is via the software portal and nagging them via email or even sending technicians to walk through the update with them, especially after reading stories of feature updates not always coming up properly 100% of the time.

I have heard there are improvements coming to software portal, which I can only hope for, because right now it is not very user friendly compared to other self service products we use.

Note: we don't have an externally accessible ITMS server for policy reasons.  

Thanks for any thoughts

I was excited too, but the immediate restart without warning is just not acceptable. How can this be avoided? At least some warning should be possible.

I have deselected the option (for immediate restart if required) on the update policy, but little does it help.

Editing the package to restart after running (with user deferal options) also has no effect. 

Inside the bat file I checked and the parameter /noreboot is included, so what makes it restart?

Not my client update policy, which is set to never restart. 

I may have to go back to the alternative solution based on SWD:

http://www.symantec.com/docs/HOWTO124389

At least here users can be informed about the upcoming major update incl. restart.

Have someone found a working - user acceptable solution?

/Mikkel

@Mikkel

My plan (when we finally have to adopt win10) is to utilize the software portal.  I hope the portal will improve greatly in the next year for user friendliness.  I don't know how any admin can push an update that takes down a machine for 25-45 minutes of install time and not have the user involved in when that happens.  Software portal is the only solution that makes sense to me (short of full reimage).  We may actually end up sending techs to the machines to make sure machines come up ok - we'll see how testing goes.

im currently doing this via SWD. I just setup the 1607 (we are not going 1703) for Win10 Pro where I have both the 32bit and 64bit setup. Yes it will take the system down but if you think about it... this is how SCCM is doing it as well so if MS is doing it, cant expect Symantec to be doing things ahead of MS.

Our environment is most likely one of the WORST for this.

We deal with laboratories where they do "runs" for a day all the way to WEEKS... so we have adopted and implemented LTSB. We have a standard image now and getting ready to start rolling out but where the vendor refuses to use our image and/or imaged pc, we are telling them they will get 'FU'd and we cant stop it... they WILL GET IT and we will notify when it is going out and their responsibility to contact us to exclude that machine for a bit till their run is done or for them to make sure it is not in use.

this in addition to the new MS patch literature is really not making things easy...

to pull this off i needed filters...

then policy could be created using them