In this post I will show you on how to configure Windows servicing using SCCM. Windows Servicing which is known as Windows as a service, provides the benefit of simplifying upgrading the existing Windows 10 / Windows 11 operating system by automating the process of downloading the required updates and installing on applicable devices.

What is Windows as a service

Windows as a service model is a new way of deploying and servicing the Windows operating system. The purpose of this model is to simplify and deploy new versions of Windows in form of feature update. Microsoft release feature updates twice a year, hence this approach of servicing the windows makes life easy for organization as compared to the old way of previously upgrading the OS where it used to take few years to upgrade existing systems.

There are several servicing tools which can be used for servicing the windows:

Windows Update – Standalone windows update is the easiest way to upgrade the operating system.

Windows Update for Business– This is a modern way of deploying the updates and upgrades where we can control various behaviour such as deferring the updates upto 30 days and deferring upgrades upto 365 days. Whole user experience can be controlled using WUFB. Group Policy of MDM authority such as Microsoft Intune can be used to deploy this.

Windows Server Update Services (WSUS) –  WSUS can be used for deploying updates and upgrades in controlled manner. You have to manually approve the updates before it gets deployed to devices

Microsoft Endpoint Configuration Manager – Also known as SCCM, can be used as one of the servicing tool for Windows as a service. Windows Servicing node can be used to control this feature in an automated way where we can create various Windows 10 Servicing Plans to deploy feature updates. The process for creating Windows 11 Servicing plans is same as Windows 10. Deploying Windows 10 devices using servicing plans can be achieved quite easily.

Pre-requisites of Windows servicing using Configuration Manager

There are few pre-requisites to be met for using Windows as a service model to be used with Configuration Manager:

  1. Configuration Manager with Software Update Point role should be installed which used WSUS as backend service to download the metadata from Microsoft.
  2. Supported WSUS version should be installed
    WSUS 10.0.14393, a role in Windows Server 2016
    WSUS 10.0.17763, a role in Windows Server 2019

For WSUS 6.2 / 6.3, on older operating system such as Windows Server 2012, you must install KB3095113 and KB3159706 update.

3. Heartbeat discovery should be enabled

Navigate to \Administration\Overview\Hierarchy Configuration\Discovery Methods. Check Heartbeat Discovery properties.

Make sure Enable Heartbeat Discovery box is checked.

Enable Heartbeat Discovery

Windows Servicing Dashboard data relies on discovery. You can check the status by navigating to \Software Library\Overview\Windows Servicing¸ where you can view chart and can see the information in table format as well:

  • Feature Update Versions
  • Quality Update Versions
  • Windows 10 Latest Feature Update
  • Windows 11 Latest Feature Update
  • Collection Errors i
  • Errors Timeline
Windows Servicing Dashboard

Service Connection point role should be configured with “Online, persistent connection”. Navigate to \Administration\Overview\Site Configuration\Servers and Site System Roles and select existing Site System Server > Service Connection Point.

Service connection point mode

4. Software Update Point role should be installed

Navigate to \Administration\Overview\Site Configuration\Sites, while Site selected, click on Configure Site Components > Software Update Point to open Software Update Point Component Properties.

Configure Site Components

Click on Classifications tab and make sure Upgrades is selected.

Products and classifications Upgrades

5. Verification of Client settings for “Thread priority for feature updates” and “Enable Dynamic Update for feature updates”. This is an optional setting, but make sure to have a look which suits the organizations need.

Navigate to \Administration\Overview\Client Settings, open existing client settings. Navigate to Software Updates to see the options:

Specify thread priority for feature updates
Enable Dynamic Update for features updates

Thread priority

Create Servicing Plans

We are now going to create Servicing Plans. We can create multiple Servicing plans for various collections usually which is called deployment rings. We should have atleast 3-4 Servicing plan starting with Pilot Ring with few systems, then keep on making another rings with more systems. And final Ring for all devices to be used for Servicing the windows.

What is Servicing Plans

By creating servicing plans, we are specifying the automated behaviour of download the feature update, specifying various settings for deferring the upgrades along with selecting the products, title etc and defining a deadline to get it targeted to existing collection in form of deployment rings.

Servicing Plans are not the only way to deploy Feature updates using Configuration Manager. We can manually select a feature update and deploy it to existing collection. However, Servicing plan is an automated process of downloading, deploying the patches in controlled manner with the settings what we have specified for existing servicing plan.

Navigate to \Software Library\Overview\Windows Servicing\Servicing Plans and click on Create Servicing Plan.

Specify name such Deployment Ring Pilot.

Create Servicing Plan

On Servicing Plan page, select the Target Collection and click Next. There should be a small set of devices only for your first Deployment ring.

Servicing Plan

On Deployment Deferral page, you will be represented with:
How many days after Microsoft has published a new upgrade would you like to wait before deploying in your environment: you can define a value between any value between 0 and 999.

You can control the behaviour of getting the upgrade ready for deployment. I am going with 0 days to expedite the process for demonstration purpose.

Deployment Deferral

On Upgrades page, select the property filters and search criteria.

As I am interested in deploying 21H2 feature update, I will use following Property filters:
Architecture: x64
Product Category: Windows 10, version 1903 and later
Required: >=1 ( we are specifying if update is required on atleast 1 system, then only it is applicable to download)
Title: 21H2

Property filters and search criteria

Click on Preview to see which updates are applicable, this is what going to be downloaded.

WindowsServicing 21

On Deployment Schedule page, specify Schedule Evaluation, Software Available time and Installation deadline

WindowsServicing 22

On User Experience page, specify Deadline behavior, Device restart behavior by suppressing the system restart for workstations, click Next.

WindowsServicing 23

On Deployment Package details, select Create a new deployment package with name and package source to be specified, click Next.

Create new deployment package

On Distribution Points page, add DP’s and click Next.

WindowsServicing 25

On Download Location page, select Download software updates from the Internet, click Next.

WindowsServicing 26

On Language Selection page, click Next.

WindowsServicing 27

Verify the summary and click on Next to start initiating the downloading of Feature Update.

WindowsServicing 28
WindowsServicing 29

Once done, you can see Deployment Ring Pilot has been created under Windows Servicing \ Servicing Plans. Select it and click on Run Now to initiate the downloading of Feature Update.

WindowsServicing 30

By default this rule will run when software update point synchronization happens, this setting can be found under Servicing Plans property and going to Evaluation Schedule, you can see following options available:

  • Do not run this rule automatically
  • Run the rule after any software update point synchronization (default option)
  • Run the rule on a schedule
Deployment Ring properties

You can monitor the progress of downloading the update through ruleengine.log located under d:\program files\Microsoft Configuration Manager\logs\ruleengine.log.

Automatic deployment rule kicks in to download the patch with following info in logs:

Enforcing Content Download Action
1 update(s) need to be downloaded in package "MAN00022" (\\sccm01\Source\Software Update\Feature Update 21H2)
List of update(s) which match the content rule criteria = {16788123}
Downloading contents (count = 1) for UpdateID 16788123
Download action completed for the AutoDeployment
Creating Software Update Group for ADR
ruleengine.log

Navigate to \Software Library\Overview\Software Updates\Software Update Groups to see AutoUpdateRuleEngine has created Software Update Group successfully with status Downloaded and Deployed as Yes.

AutoUpdateRuleEngine

Download patch will be available in esd format along with WindowsUpdateBox.exe, following is the content downloaded:
19044.1288.211006-0501.21h2_release_svc_refresh_CLIENTBUSINESS_VOL_x64FRE_en-us.esd
WindowsUpdateBox.exe

Feature Update esd file

Verify installation and client side

Login to Windows 10 device, once the policy is arrived, we can see the feature update kicks in for installation. You can monitor the installation through UpdatesDeployment.log & Wuahandler.log

Wuahandler.log
1. Update: 0eb32553-faf9-4fb8-9980-10f87c54cc7e, 200   BundledUpdates: 1
1. Update (Missing): Feature update to Windows 10 (business editions), version 21H2, en-us x64 (0eb32553-faf9-4fb8-9980-10f87c54cc7e, 200)
Async installation of updates started.
WindowsServicing 35

Important Links

Quick guide to Windows as a service (Windows 10) – Windows Deployment | Microsoft Docs

https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview

https://docs.microsoft.com/en-us/mem/configmgr/osd/deploy-use/manage-windows-as-a-service