Wsus offline update windows 10 21h1

Windows 10, version 21H1 is now available through Windows Server Update Services (WSUS) and Windows Update for Business, and can be downloaded today from Visual Studio Subscriptions, the Software Download Center (via Update Assistant or the Media Creation Tool), and the Volume Licensing Service Center^[1]. Today also marks the start of the 18-month servicing timeline for this H1 (first half of the calendar year) Semi-Annual Channel release.

Windows 10, version 21H1 (also referred to as the Windows 10 May 2021 Update) offers a scoped set of improvements in the areas of security, remote access, and quality to ensure that your organization and your end users stay protected and productive. Just as we did for devices updating from Windows 10, version 2004 to version 20H2, we will be delivering Windows 10, version 21H1 via an enablement package to devices running version 2004 or version 20H2—resulting in a fast installation experience for users of those devices. For those updating to Windows 10, version 21H1 from Windows 10, version 1909 and earlier, the process will be similar to previous updates.

Jump to: What is an enablement package?   |  Tools   |  Resources   |  Features to explore   |  Deployment recommendations   |  Office hours 

What is an enablement package?

Which tools are being updated for version 21H1?

To support the release of Windows 10, version 21H1, we have released updated versions of the following tools:

• Security baseline (final) for Windows 10, version 21H1 – Microsoft-recommended configuration settings, including explanations of their security impact.
• Administrative Templates (.admx) for Windows 10, version 21H1 – While natively accessible via the C:WindowsPolicyDefinitions folder in Windows, administrative template files can be downloaded separately and used to populate policy settings in the user interface of Group Policy tools, allowing you to manage registry-based policy settings.
• Group Policy settings reference spreadsheet for Windows 10, version 21H1 – List of the policy settings for computer and user configurations included in the ADMX files delivered for Windows 10, version 21H1.
• Windows 10 Enterprise Evaluation – Free 90-day evaluation of Windows 10, version 21H1 for IT professionals interested in trying Windows 10 Enterprise on behalf of their organization.

What about other tools?

As Windows 10, version 21H1 shares a common core and an identical set of system files with version 2004 and 20H2, the following tools do not need to be updated to work with version 21H1:

• Windows Assessment and Deployment Kit (Windows ADK) for Windows 10, version 2004 –Customize Windows images for large-scale deployment or test the quality and performance of your system, added components, and applications with tools like the User State Migration Tool, Windows Performance Analyzer, Windows Performance Recorder, Window System Image Manager (SIM), and the Windows Assessment Toolkit.
• Windows PE add-on for the Windows ADK, version 2004 – Small operating system used to install, deploy, and repair Windows 10 for desktop editions (Home, Pro, Enterprise, and Education). (Note: Prior to Windows 10, version 1809, WinPE was included in the ADK. Starting with Windows 10, version 1809, WinPE is an add-on. Install the ADK first, then install the WinPE add-ons to start working with WinPE.)

• Remote Server Administration Tools (RSAT) for Windows 10 – Tools that let you manage Windows Server roles and features from a Windows 10 PC. Starting with Windows 10, version 1809, RSAT are included as a set of «Features on Demand» in Windows 10 itself.

Any resources being updated?

To support Windows 10, version 21H1, we are updating the key resources you rely on to effectively manage and deploy updates in your organization, including:

• Windows release health hub – The quickest way to stay up to date on update-related news, announcements, and best practices; important lifecycle reminders, and the status of known issues and safeguard holds.
• Windows 10 release information – A list of current Windows 10 versions by servicing option along with release dates, build numbers, end of service dates, and release history.
• Windows 10, version 21H1 update history – A list of all updates (monthly and out-of-band) released for Windows 10, version 21H1 sorted in reverse chronological order.

New features to explore

As noted above, Windows 10, version 21H1 offers a scoped set of features focused on the core experiences that you rely on the most as you support both in person and remote workforces. Here are the highlights for commercial organizations:

• Windows Hello multi-camera support. For devices with a built-in camera and an external camera, Windows Hello would previously use the built-in camera to authenticate the user, while apps such as Microsoft Teams were set to use the external camera. In Windows 10, version 21H1, Windows Hello and Windows Hello for Business now default to the external camera when both built-in and external Windows Hello-capable cameras are present on the device. When multiple cameras are available on the same device, Windows Hello will prioritize as follows:
  • SecureBio camera
  • External FrameServer camera with IR + Color sensors
  • Internal FrameServer camera with IR + Color sensors
  • External camera with IR only sensor
  • Internal camera with IR only sensor
  • Sensor Data Service or other old cameras
• Microsoft Defender Application Guard enhancements. With Windows 10, version 21H1, end users can now open files faster while Application Guard checks for possible security concerns.
• Security updates. Windows 10, version 21H1 provides security updates for Windows App Platform and Frameworks, Windows Apps, Windows Input and Composition, Windows Office Media, Windows Fundamentals, Windows Cryptography, the Windows AI Platform, Windows Kernel, Windows Virtualization, Internet Explorer, and Windows Media.
• Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) updating performance improvements to support remote work scenarios. When an administrator would make changes to user or computer group membership, these changes would propagate slowly. Although the access token eventually updates, the changes would not be reflected in a troubleshooting scenario when the gpresult /r or gpresult /h commands were executed. This was especially experienced in remote work scenarios and has been addressed.

What else have we been up to?

Aside from Windows 10, version 21H1, we’ve been busy with other new, exciting features and solutions that you may have heard about! (Note that some of these may require additional licensing or services.) Check out the links for details:

• Passwordless authentication – Speaking of Windows Hello for Business, I wanted to make sure you didn’t miss our March announcement that passwordless authentication is now generally available for hybrid environments! This is a huge milestone in our zero-trust strategy, helping users and organizations stay secure with features like Temporary Access Pass.  
• Windows Update for Business deployment service – Approve and schedule content approvals directly through a service-to-service architecture. Use Microsoft Graph APIs to gain rich control over the approval, scheduling, and protection of content delivered from Windows Update.
• Expedite updates – Expediting a security update overrides Windows Update for Business deferral policies so that the update is installed as quickly as possible. This can be useful when critical security events arise and you need to deploy an update more rapidly than normal.
• Known Issue Rollback – Quickly return an impacted device back to productive use if an issue arises during a Windows update. Known Issue Rollback supports non-security bug fixes, enabling us to quickly revert a single, targeted fix to a previously released behavior if a critical regression is discovered.
• News and interests – For devices running Windows 10, version 1909 or later, news and interests in the taskbar enables users to easily see local weather and traffic as well as favorite stocks and the latest news on topics related to professional or personal interests. To learn how to manage news and interests via Group Policy or Microsoft Endpoint Manager, see Manage news and interests on the taskbar with policy,
• Universal Print – Now generally available, Universal Print is ready for your business! Universal Print is the premier cloud-based printing solution, run entirely in Microsoft Azure, and requires no on-premises print infrastructure.
• …and so much more! Follow the Windows IT Pro Blog (and @MSWindowsITPro on Twitter) to keep up-to-date on Windows announcements and new feature releases, and the Microsoft Endpoint Manager Blog (and @MSIntune on Twitter) for announcements and features new to Intune and Configuration Manager.

Deployment recommendations

With today’s release, you can begin targeted deployments of Windows 10, version 21H1 to validate that the apps, devices, and infrastructure used by your organization work as expected with the new features. If you will be updating devices used in remote or hybrid work scenarios, I recommend reading or revisiting Deploying a new version of Windows 10 in a remote world. For insight into our broader rollout strategy for this release, see John Cable’s post, How to get the Windows 10 May 2021 Update.

If you need a refresher on Windows update fundamentals, see:

• Overview of Windows as a service
• Manage updates using Windows Update for Business
• Prepare updates using Windows Server Update Services
• Manage updates using Configuration Manager

For step-by-step online learning to help you optimize your update strategy and deploy updates more quickly across your device estate, see:

• Stay current with Windows 10 and Microsoft 365 Apps
• Manage Windows updates in the cloud

To get an early peek at some of the new features before we release them, join the Windows Insider Program for Business! Insiders can test new deployment, management, and security features, and provide feedback before they become generally available. Learn about managing the installation of Windows 10 Insider builds across multiple devices and get started today!

Join us for Office Hours

And finally, make sure you join our monthly Windows Office Hours, where you can ask your deployment, servicing, and updating questions and get answers, support, and help from our broad team of experts. Submit questions live during the monthly one-hour event or post them in advance if that schedule does not work for your time zone. Our next event is Thursday, May 20, 2021 so add it to your calendar and join us!

^[1] It may take a day for downloads to be fully available in the VLSC across all products, markets, and languages.

Изменение схемы распространения Servicing Stack Updates для Windows 10 2004-21H1 на WSUS и решение ошибки 0x800f0823 — CBS_E_NEW_SERVICING_STACK_REQUIRED

...
Error CBS Package "xxx" requires Servicing Stack v10.0.19041.980 but current Servicing Stack is v10.0.19041.860. [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED]
...

Managing Windows Updates is a task every IT pro has probably done in their career. Managing patches is never fun, especially for offline Windows computers. If you have offline Windows computers, it’s time to automate the process as much as possible with the WSUS Offline Update tool!

The WSUS Offline Update tool, or what some call WSUSOffline, is a handy (and free) utility that downloads updates on an Internet-connected computer, packages up all necessary updates, and provides a way to install that package via offline media.

In this tutorial, you’re going to learn how to patch an offline computer with the WSUS Offline Update tool to become an offline-patching master!

Prerequisites

If you’d like to follow along with the steps in this tutorial, be sure you have the following:

• A Windows 7 SP1+ or Windows Server 2008 R2+ computer preferably that’s way behind on patching. The demos in this guide are going to use Windows Server 2012 R2 virtual machine.
• A separate Windows PC with Internet access to download updates.

Downloading and Setting up WSUS Offline Update

Before you can become an offline-patching master, you must first get your tool.

1. Open your favorite web browser and navigate to the WSUS Offline Update download page.

2. Click on the Version link shown below to download to your PC. As of this writing, the latest version is 12.03.2020.

WSUS Offline Update comes in two separate versions; the “Most recent version” and the “ESR version.” The “Most recent version” covers all modern Microsoft products. If you have older operating systems like Windows 7 SP1 or Windows Server 2008 R2, you’d have to use the “ESR version.” But note that WSUS Offline Update does not help get you around an extended security updates (ESU) agreement.

3. Once downloaded, extract the ZIP file, find and run the executable called UpdaterGenerator.exe. This EXE is the application that will help you customize offline updates.

When the tool launch, you’ll be in the Windows tab, as shown below, with a lot of options in front of you! Don’t worry, though. In the next section, you’ll learn how to perform each task necessary to download updates and patch that offline Windows computer.

Creating an Offline Update Package

Now that you have the WSUS Offline Update tool open let’s see what you can do with it. To demonstrate the tool, let’s assume you have an offline Windows Server 2012 R2 machine that needs all of the Visual C++ Runtime libraries, a version of .NET Framework, and the latest security updates.

Don’t worry if you don’t have Windows Server 2012 R2. The steps in this section apply to all Windows OS and Microsoft Office versions with only minor modifications.

Your first task is creating an offline update package. This offline update package can be created as an ISO image or stored on a USB drive. In this tutorial, you’re going to create the offline update package as an ISO file.

ISOs are easier to work with and can be mounted natively by Windows Server 2012 and newer. That’s why this article focuses on using them.

With the tool open:

1. First, uncheck all Windows 10 updates if you are not updating Windows 10. Failure to do so will cause WSUS Offline Update to download more than you might need, greatly increasing the update download and ISO creation time.

2. Since the tutorial will be patching a Windows Server 2012 R2 machine, click on the Legacy Windows tab. In this tab, select the OS you’re patching and the architecture. In this case, choose x64 Global (multilingual updates).

And, finally, pick the additional updates you’d like to download, such as C++ Runtime Library and .NET Frameworks, and Use “security-only updates” instead of “quality rollups.” Quality rollups are bundled updates. Security-only updates install faster and typically are smaller in size.

If you have an internal WSUS server with approved updates and would rather not download patches from the Internet, click on the WSUS button.

When you are satisfied with the selections, click on Start to begin the build process. WSUSOffline will open a command prompt window when you do so and will begin to download the required updates and create the ISO file. Be sure to leave this window open. This step takes a few minutes to complete.

If you selected a lot of options and different OS’es, this process could take HOURS! Be warned.

After the updates are finished downloading, and WSUS Offline Update has created the ISO image, you will see the following prompt:

3. To view the log file for the entire operation, click Yes. Otherwise, click No.

That’s it! You’ve created your first offline update ISO image that contains the updates you selected for Windows Server 2012 R2.

4. Now, open the folder you started WSUSOffline from and notice two folders called iso and client. These folders contain the updates the tool just downloaded. The Client folder contains all of the updates stored directly into the folder, while the iso folder holds the ISO, which has compressed all of the updates.

Inside of the iso folder, you will see an ISO file called wsusoffline-w63-x64.iso.

If you’d rather use a USB key to transfer the update package to the offline computer, you could also transfer the contents of the client folder directly to the USB key.

Applying an Offline Update Package

You now have an ISO file containing all of the required updates sitting on your local computer. It’s time to get that ISO file’s content to your offline computer!

As you can see below, an unpatched Windows Server 2012 R2 machine is waiting in the tutorial lab environment.

The Last installed updates status will not change after running WSUS Offline Update. This is because these fields are taken from registry keys that are updated only when using WSUS or Microsoft Update. They do not update when installing individual updates, which is what WSUS Offline Updater does.

To install the offline updates via the ISO file:

1. Copy the ISO to the offline computer using either a virtualized DVD drive in VMware or Hyper-V or using a USB key.

2. Connect to the offline computer’s console and log in with an administrative user account.

3. Next, find the ISO, right-click on it and click on Mount.

4. Now, navigate to the DVD drive that Windows created for the ISO file and run the UpdateInstaller.exe application.

5. In the installer dialog box, choose any other extra updates you’d like to install and select your required options. For this tutorial, select Update C++ Runtime Libraries, Update Root Certificates, and Install Management Framework 5.1.

When complete, click on Start to begin the installation process.

If WSUSOffline detects any of these updates are already installed, it will simply skip over them.

If the offline computer is way out of date, updating it may require multiple reboots. To prevent manually rebooting, start the tool again and repeat the process, select Automatic reboot and recall. This option will temporarily disable User Account Control (UAC), create a temporary user account, automatically reboot after installation, and continue patching until complete.

Once you click Start, WSUSOffline will open a command prompt and provide status messages throughout the update process. Do not close this window!

6. After the updates have been installed, reboot your computer. WSUS Offline Update will prompt you to restart your computer to complete the process if you did not choose the option to do so automatically.

7. If you did not select the Automatic reboot and recall option before starting the update, continue rebooting the computer and performing steps 4-6 again until WSUS Offline Update detects no more updates needed.

You now have a freshly patched and up to date offline Windows computer!

Conclusion

WSUS Offline Update is a tool that every sysadmin should have in their toolbelt. This tool saves so much time patching offline computers by automating most of the process.

If you haven’t been using WSUS Offline Update previously, how were you, and how does that process compare to this tool?