Wiki source code of Exkurs: Update Zyklus: Wie kommt das Update von Microsoft auf den ACMP Client?
Last modified by Sabrina V. on 2025/11/11 14:32
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | === Initial situation === | ||
| 2 | |||
| 3 | Before an update can be installed on an ACMP Client, it must be obtained from Microsoft and made available. The update goes through several stages, most of which are controlled fully automatically in the background and which the user usually hardly notices, unless they actively intervene in the process or change existing procedures (e.g. configurations). | ||
| 4 | Using a specific update as an example, we will show how the update is obtained from Microsoft and what steps are required in ACMP so that it can be distributed to a client and then installed. This will also show how much time can elapse between the release of an update and its deployment. Let's start with a general overview of Microsoft's update release cycle. | ||
| 5 | |||
| 6 | === Microsoft update release cycle === | ||
| 7 | |||
| 8 | Microsoft always releases its updates according to a specific cycle. A new security update is scheduled to be released every second Tuesday of the month at around 10:00 a.m. Pacific Standard Time (PST/PDT). These releases are cumulative and contain all prior updates, which contributes to the security of your devices and helps to keep them productive. The updates are made available through various channels (e.g. Windows Server Update Services or the [[Microsoft Update-Katalog>>https://www.catalog.update.microsoft.com/Home.aspx]]), from which they can also be obtained. The individual version information pages list the corresponding releases of previous versions: | ||
| 9 | |||
| 10 | * [[Windows 10>>https://learn.microsoft.com/de-de/windows/release-health/release-information]] | ||
| 11 | * [[Windows 11>>https://learn.microsoft.com/de-de/windows/release-health/windows11-release-information]] | ||
| 12 | |||
| 13 | {{aagon.infobox}} | ||
| 14 | There are other [[types of update releases>>https://learn.microsoft.com/de-de/windows/deployment/update/release-cycle]] that can be provided, but these will not be continuing discussed here. | ||
| 15 | {{/aagon.infobox}} | ||
| 16 | |||
| 17 | |||
| 18 | |||
| 19 | === Example and requirements for distributing an update === | ||
| 20 | |||
| 21 | Update KB5037771 (operating system builds 22621.3593 and 22631.3593) will be released by Microsoft on 14 May 2024 (second Tuesday of the month) and includes, among other things, several bug fixes and improvements for your Windows 11, version 23H2. It falls under | ||
| 22 | |||
| 23 | * Product: //Windows 11// | ||
| 24 | * Classification: //Security Updates//, | ||
| 25 | |||
| 26 | which you have selected for the following scenario. For the test and release process, you have specified the following settings: | ||
| 27 | |||
| 28 | * No ring: Skip this ring and move updates directly to the next ring after reaching the Synchronisation distribution status. | ||
| 29 | * Test ring 1: Automatic move Updates into Test Ring 2 10 days after the update has been in this ring. | ||
| 30 | * Test Ring 2: Automatic move Updates into Release Ring 5 days after the update has been in this ring. | ||
| 31 | |||
| 32 | [[Configurations for the application example>>image:67_Einstellungen_Test- und Freigabeprozess Konfiguration_Anwendungsbeispiel_966.png]] | ||
| 33 | |||
| 34 | In addition, you have selected the setting [[//On Demand – only download if at least one client requires the update//>>doc:ACMP.68.ACMP-Solutions.Patch Management.Windows Update Management.Einstellungen zum Windows Update Management.WebHome||anchor="HUpdate-Download-Optionen"]] (//System //>// Settings //>// Windows Update Management //>// Options //>// Update Download Options//). With this option, the download of the setup files is only triggered when the client provides feedback. | ||
| 35 | |||
| 36 | {{aagon.infobox}} | ||
| 37 | This option is generally recommended, as otherwise the storage space requirements are enormous, since all setup files are downloaded to your file repository, even if they are not installed or required by any client. | ||
| 38 | {{/aagon.infobox}} | ||
| 39 | |||
| 40 | Before the update can be | ||
| 41 | |||
| 42 | ~1. The update published by Microsoft (14 May 2024) must first be obtained via the scheduled server tasks //[[Download Windows Update Management metadata>>doc:ACMP.68.ACMP-Solutions.Patch Management.Windows Update Management.Konfigurationsmöglichkeiten im Windows Update Management.WebHome||anchor="HJobsundAufgaben"]] //(//System// > //Settings// > //ACMP// //Server// > //Scheduled// //Server Tasks// > //Windows// //Update// //Management//). Depending on the selected start condition, the metadata for Windows Updates is downloaded daily (default start condition: Start daily). | ||
| 43 | |||
| 44 | {{aagon.infobox}} | ||
| 45 | The job runs at intervals; no specific time is specified for when the scanner should run, unless it is set to a defined time window. It is therefore possible that the job scan has already run for the day and will not start again until the following day. | ||
| 46 | |||
| 47 | Alternatively, the scan can also be triggered manually using the //Start now// button. | ||
| 48 | {{/aagon.infobox}} | ||
| 49 | |||
| 50 | In this first step, ACMP will be informed about the new update for the first time, as it receives the new info directly from Microsoft. | ||
| 51 | |||
| 52 | 2. Once the server task has been successfully completed, the //Windows Update Scanner// (//Client Management// > //Agent Tasks// > //Windows Update Scanner//) is launched on the respective client to check whether there are any clients in the system that have reported the update as "required". The metadata information contained here is reported back to the server, indicating what new updates are required ("Yes, required" or "No, not required"). | ||
| 53 | |||
| 54 | {{box}} | ||
| 55 | **Tip:** You can also see whether a client has reported an update as required in the grid of the //Updates// tab in the Windows Update Management plugin. | ||
| 56 | {{/box}} | ||
| 57 | |||
| 58 | 3. If one or more clients report the update is required, it is downloaded via [[Download Windows Update Management Setup>>doc:ACMP.68.ACMP-Solutions.Patch Management.Windows Update Management.Konfigurationsmöglichkeiten im Windows Update Management.WebHome||anchor="HJobsundAufgaben"]] (//System// > //Settings// > //ACMP// //Server// > //Scheduled// //Server Tasks// > //Windows// //Update// //Management//). Here too, the time of the download depends on the configured start condition. If no changes have been made, the condition is //Start daily//. Otherwise, the scan can also be started manually here. | ||
| 59 | |||
| 60 | {{aagon.infobox}} | ||
| 61 | Please note that the scanner runs at intervals with the start condition "Start daily" and the job may not be executed until the next day. | ||
| 62 | {{/aagon.infobox}} | ||
| 63 | |||
| 64 | 4. The update is now downloaded and released and moved to test ring 1 according to the settings of the [[test and release process>>doc:ACMP.68.ACMP-Solutions.Patch Management.Windows Update Management.Einstellungen zum Windows Update Management.WebHome||anchor="HTestenundFreigeben"]]. According to the test ring configuration, the update remains there for ten days before being moved to test ring 2. After five more days in test ring 2, it is moved to the release ring. | ||
| 65 | |||
| 66 | 5. Once you have the metadata, you can use this information to create a collection within the [[Windows Update Collection >>doc:ACMP.68.ACMP-Solutions.Patch Management.Windows Update Management.Windows Update Collection.WebHome]]and statically link the updates to the selected collection. Make sure you select the same products and classifications so that distribution is dynamic. | ||
| 67 | |||
| 68 | 6. Store the Windows Update Collection in a container. Based on the container distribution, you can explicitly decide which client is allowed to receive an update at what time. Please note that you must specify settings (start conditions) for correct execution. | ||
| 69 | |||
| 70 | |||
| 71 | By not continuing to interfere with the mechanism, productive distribution would take place. | ||
| 72 | |||
| 73 | [[Calendar view via the distribution scheme in the test and release process>>image:67_CAWUM_Test- und Freigabeprozess Beispiel Ablauf Update_700.png]] | ||
| 74 | |||
| 75 | |||
| 76 | |||
| 77 | **Summary and key points of the process:** | ||
| 78 | |||
| 79 | * Windows Update Management downloads the metadata | ||
| 80 | * The Windows Update Scanner checks whether clients have reported the update as required | ||
| 81 | * If reported as required: Setup files are downloaded and placed in the configured test and release process, where they pass through the various rings until they reach the release ring | ||
| 82 | * The update can be linked in a Windows Update Collection, which is then stored in a container |