Update cycle: How does the update from Microsoft get to the ACMP Client?
Initial situation
Before an update can be installed on an ACMP Client, it must be obtained from Microsoft and made available. The update goes through several stages, most of which are controlled fully automatically in the background and which the user usually hardly notices, unless they actively intervene in the process or change existing procedures (e.g. configurations).
Using a specific update as an example, we will show how the update is obtained from Microsoft and what steps are required in ACMP so that it can be distributed to a client and then installed. This will also show how much time can elapse between the release of an update and its deployment. Let's start with a general overview of Microsoft's update release cycle.
Microsoft update release cycle
Microsoft always releases its updates according to a specific cycle. A new security update is scheduled to be released every second Tuesday of the month at around 10:00 a.m. Pacific Standard Time (PST/PDT). These releases are cumulative and contain all prior updates, which contributes to the security of your devices and helps to keep them productive. The updates are made available through various channels (e.g. Windows Server Update Services or the Microsoft Update-Katalog), from which they can also be obtained. The individual version information pages list the corresponding releases of previous versions:
Note:
There are other types of update releases that can be provided, but these will not be continuing discussed here.
Example and requirements for distributing an update
Update KB5037771 (operating system builds 22621.3593 and 22631.3593) will be released by Microsoft on 14 May 2024 (second Tuesday of the month) and includes, among other things, several bug fixes and improvements for your Windows 11, version 23H2. It falls under
- Product: Windows 11
- Classification: Security Updates,
which you have selected for the following scenario. For the test and release process, you have specified the following settings:
- No ring: Skip this ring and move updates directly to the next ring after reaching the Synchronisation distribution status.
- Test ring 1: Automatic move Updates into Test Ring 2 10 days after the update has been in this ring.
- Test Ring 2: Automatic move Updates into Release Ring 5 days after the update has been in this ring.
Configurations for the application example
In addition, you have selected the setting On Demand – only download if at least one client requires the update (System > Settings > Windows Update Management > Options > Update Download Options). With this option, the download of the setup files is only triggered when the client provides feedback.
Note:
This option is generally recommended, as otherwise the storage space requirements are enormous, since all setup files are downloaded to your file repository, even if they are not installed or required by any client.
Before the update can be
1. The update published by Microsoft (14 May 2024) must first be obtained via the scheduled server tasks Download Windows Update Management metadata (System > Settings > ACMP Server > Scheduled Server Tasks > Windows Update Management). Depending on the selected start condition, the metadata for Windows Updates is downloaded daily (default start condition: Start daily).
Note:
The job runs at intervals; no specific time is specified for when the scanner should run, unless it is set to a defined time window. It is therefore possible that the job scan has already run for the day and will not start again until the following day.
Alternatively, the scan can also be triggered manually using the Start now button.
In this first step, ACMP will be informed about the new update for the first time, as it receives the new info directly from Microsoft.
2. Once the server task has been successfully completed, the Windows Update Scanner (Client Management > Agent Tasks > Windows Update Scanner) is launched on the respective client to check whether there are any clients in the system that have reported the update as "required". The metadata information contained here is reported back to the server, indicating what new updates are required ("Yes, required" or "No, not required").
Tip: You can also see whether a client has reported an update as required in the grid of the Updates tab in the Windows Update Management plugin.
3. If one or more clients report the update is required, it is downloaded via Download Windows Update Management Setup (System > Settings > ACMP Server > Scheduled Server Tasks > Windows Update Management). Here too, the time of the download depends on the configured start condition. If no changes have been made, the condition is Start daily. Otherwise, the scan can also be started manually here.
Note:
Please note that the scanner runs at intervals with the start condition "Start daily" and the job may not be executed until the next day.
4. The update is now downloaded and released and moved to test ring 1 according to the settings of the test and release process. According to the test ring configuration, the update remains there for ten days before being moved to test ring 2. After five more days in test ring 2, it is moved to the release ring.
5. Once you have the metadata, you can use this information to create a collection within the Windows Update Collection and statically link the updates to the selected collection. Make sure you select the same products and classifications so that distribution is dynamic.
6. Store the Windows Update Collection in a container. Based on the container distribution, you can explicitly decide which client is allowed to receive an update at what time. Please note that you must specify settings (start conditions) for correct execution.
By not continuing to interfere with the mechanism, productive distribution would take place.
Calendar view via the distribution scheme in the test and release process
Summary and key points of the process:
- Windows Update Management downloads the metadata
- The Windows Update Scanner checks whether clients have reported the update as required
- If reported as required: Setup files are downloaded and placed in the configured test and release process, where they pass through the various rings until they reach the release ring
- The update can be linked in a Windows Update Collection, which is then stored in a container