1. Understanding modern update deployment
So one thing we have now in Windows 10 is what’s called the Windows Ten Servicing Model. The Windows Ten Servicing Model is a concept Microsoft likes to call Windows as a Service (Weasand the idea of Windows as a service is that we do two main kinds of updates. One is a “feature update,” which is a major release of Windows 10 that occurs two to three times per year on average. I’d say it happens more like twice a year, but you’ll get one. Usually a feature update will come out around the spring time. So it will be around March, April, or something like that. Then there’ll be another one around the fall time frame. So it’ll be somewhere around July, August, or September.
Time frame? Okay? And these are major builds, major releases that will be released. and we would upgrade our operating systems. It’s almost like a fresh new operating system that’s going to get installed. But it’s really just Windows 10, and it’s like you’re upgrading Windows 10 to Windows 10 to get these feature updates. Okay? These do take a lot of time to download, get installed, and get up and running, but they do have all sorts of new features and things like that that come out with them. Then you have what’s called quality updates. Now, quality updates are what we’re used to. If you’ve been in IT for a while and have worked with Microsoft, you’ve probably heard of Patch Tuesday. Patch Tuesday is the second Tuesday of each month. And what happens is that Microsoft releases all of their cumulative updates that they’ve created over the last month, which get added to Patch Tuesday.
So we have one day, if you will, where we have to do all of our updates in our environment. Okay? Granted, the good news is you’re going to see there are a lot of ways for us to test all of that out. Now another thing that’s been added that’s a little different is that they have these things called update channels. Update channels are what you’re going to subscribe Windows 10 to. Okay? So there are three main update channels. The first one is called the Windows Insider Channel. Now for this one, you actually have to enable it. It’s not enabled by default. You have to go into the settings and turn it on. This is going to let you receive your feature updates on your version of Windows 10 a few months before they go out to the public. So this is ideal for a lab environment, pilot computers, or maybe even other people’s computers to test out. Many people enjoy doing the Windows Insider programme for themselves in order to test things out. Then you’ve got the semiannual channel. Now the semiannual channel is geared more toward the broad world of your environment.
So the majority of your computers are going to be on the semiannual channel. Okay, so the updates will be released, and you will be able to download them as soon as they are available. The feature updates right when it comes out. Or you’re allowed to defer those updates for a few months. You could postpone them for a maximum of one year if you wanted to. But I’ll show you more on that later. Okay. Mostly, this is going to be the most common channel that your computers are going to use. OK, then you’ve got a long-term servicing channel. Now, one thing I want to say on this is that you have to install the long-term service channel version of Windows 10 in order to get this. You can’t just switch over to this. You actually have to install that version of Windows 10 in order to get it. This is for critical computers, okay? So these are devices that are so critical that you definitely don’t want them to go down. You could imagine if you had a Windows 10 computer that was running some kind of machine or something in your business, and if that Windows 10 computer had problems, that machine would break or not work properly, and that could be a really bad thing. So what this does is let you push off updates for up to ten years. Okay?
So you can defer feature updates for up to ten years. Keep in mind that LTSC used to be called LTSB. So, if you look through some documentation on the Internet, you may notice that this particular version is still referred to as LTSB. So that’s sort of the older name for it. LTSB is the newer name for it. Okay? Now on top of that, you havewhat are called rings update rings. Update rings are what your servicing channels are going to subscribe to or link to. Okay, you have the Preview ring, which is for the Windows Insider channel. The Preview ring is the one that the Windows Insider channel is linked to. This effectively means that you will receive updates and feature updates several months before they are made public.
You have targeted Targeted is now a service that you can sign up for. This is for the semiannual channel, and it’s a targeted mode for the semiannual channel that basically makes it so computers have to get their updates and feature updates right when they come out. You can also go broad. Which broad? The Broad Ring is the more common method, and it is where updates will be received in about four months. So a feature update will come out, and then a lot of your machines may not get those feature updates for a few months. This allows time for the feature update to be released, for things to be tested, and for your computers to gradually begin to receive it as time passes. And then, lastly, you have critical. Critical is for critical computers. And that’s the one that the LTSC is going to link to. Those are your update rings. And again, the update rings are going to tie to the channels. Okay? So you’ve also got to think about the different deployment methods that you’re going to use. In other words, how am I going to get updates out there to people?
All right, well, one way is good old Windows Update. Windows updates have been around since 1998 with Windows 98. When it came out, it was basically the update website. But then eventually, as time went on, when they released that, they released the automatic update for Windows Update. That basically means Windows will go get the updates for you. And this is what we’ve had. And unfortunately, if you have Windows Tenhome, that’s the only option you’ve got. So you don’t have any control. I don’t get to control what updates my computers get. It basically means they’re just going to download everything. You can now do Windows Update for business if you have a business version of Windows 10—Windows 10 Pro, Windows 10 Enterprise, the Education Edition, or something similar. With Windows Update for Business, I can control the update settings using group policies or with the help of my Intune, Endpoint Manager, and all that. Okay, then you’ve got WSU.
This is Windows Server Update Services. Now, this has been around for a very long time, since the early 2000s. Windows Server Update Services is a server service that you can install on a Windows server, okay? So, for example, if you have Windows Server 2019, or even earlier, you can go in and add that as a role to that server. That server will go out, download all the updates for your computers, and then it will control pushing the updates out to your environment. What’s great about WSU is that I get to choose what gets approved to go out to my environment, okay? I have complete control over all that. So WS is a great way to handle things, and it doesn’t cost any additional money. These last two, however, you have to license. Okay? So intune. You have an Intune license. If you have an Intune license, you have SCCM. And that brings me to End Point Manager, which you’ve seen me go over before.
The end point The manager controls both SCCM and Intune at the same time. And you can create what’s called a “comanaged environment.” I’ll talk more about that later, but with Intune, I can cloud-control everything. So this is great. If I’ve got a bunch of computers where I have people who work from home and I need to control the updates on their computers, I can do that. Doesn’t matter. Maybe they’re a laptop or a Surface tablet or something. They’re jumping around all over the place. All of this will be controlled via the Internet, with the assistance of Manager. Now, for your on-premises devices, you could use SCCM. Keep in mind that SCCM endpoint manager configuration is also what it’s called. Now with that, it’s really just going to use WSU to do the updates. So the SCCM option isn’t really going to manage the updates.
It will not actually perform the updates. WS is going to do it, but SCCM will control all of that. And the great thing about SCCM is that it provides a bunch of extra reporting options, automation processes, and all of that. OK, so you get quite a few different little methods that you can use for deployment. Now there’s one more thing I want to tell you about here involving a Windows update. It’s called delivery optimization. Delivery optimization is a peer-to-peer method that allows me to have updates shared between my computers. So if you have delivery optimization turned on, then a Windows 10 computer can download an update, and it’ll share that update with another computer.
And then that computer can share the update with another computer, and that computer can share the update with another computer. And, of course, updates can be passed from peer to peer. Okay? There used to be an older feature called “Branch Caching” that could do that. You could still use branch caching. It’s not as good as delivery optimization, though. One thing I’d like to mention about delivery optimization is that you can have only computers in your own environment download and share updates. You can also instruct them to share with the internet. It’s sort of like a torrenting scenario, okay? The benefit is that if you do enable it to share with the Internet, you have to turn that on. If you allow it to connect to the Internet, your computers will receive and share updates much more quickly.
The disadvantage is that it will consume more bandwidth, okay? It’s not a major security risk because it’s done with the assistance of Microsoft servers. You’re not having to open up any ports coming in or any of that. So it’s not really as big a security risk as you usually think usually.But the big thing about it is that it’s going to cause the updates to happen faster. That’s the advantage. The disadvantage is that it’s going to use more bandwidth on your internet connection. So that’s something you have to think about. But that’s what delivery optimization is. And that is also something that can be configured in Windows 10. It can be configured with the help of Intune SCCM, or you can even configure it with provisioning packages and GPO group policy objects. So as we look at the update settings, I’ll show you how that’s going to be managed as well. I’m going to do some demonstrations here.
2. Modern configuration for Windows update settings
Okay? And then you’ll see a little button here called “Update and Security.” So we’re going to click on that. All right? This is an update for security. Okay? So I’m going to kind of zoom in on that for you guys. So you can see it a little more clearly here. And you’ll notice that I can check for updates. It shows you the last time the updates were checked. I can pause updates. Now, granted, if you paused updates in the last seven days, you can’t do that again for seven more days. Okay? So that’s a rule they’ve got in place. I could force it to check right now if I wanted to as well. Okay. I’ve also got what is called “change active hours.” I’m going to click on that.
Okay? Now one thing I want to point out when it comes to active hours: OK, a lot of people don’t realize it, but active hours are not the hours that you want updates to happen. Active hours are the hours that you are using your operating system and don’t want updates to happen. So right now, my active hours are from 7:00 a.m. to 06:00 p.m.
But if I wanted to, I could change that, and then I could update this. We’ll say that my active hours are from 9:00 a.m. Oops, 9:00 a.m. We’ve got to click a little check mark, and we’ll set it to, like, maybe 08:00 p.m. So I’m usually using my computer between 9:00 a.m. and 8:00 p.m. Okay? They tell you you’ve got a maximum of 18 hours. There must be some time when updates can happen. So I’m going to hit save, and I’ve now set my active hours. Remember, active hours are the hours I’m on my computer, not the updates. That’s something you’re going to want to remember if you’re taking the exam.
Okay? Another option is to automatically adjust the device’s active hours based on activity. So Windows 10 is going to monitor what you’re doing, and it’s going to base its changes or its active hours on that. So I’ll go back, okay, we’ll click on it, and we can view the previous updates by clicking View Update History. I’m going to go to Advanced Options now, okay? And then, if I want, I can get updates for other Microsoft products like Office and so on. Download updates over metered connections. That means that if you use a cellular Internet connection, it will be referred to as a “metered connection,” meaning that your bandwidth will be limited. You could make it so that updates won’t go through during that time period. You have to restart this device as soon as possible. When a restart is required to install an update, it does tell you that Windows will pop a message up though.
It says Windows will display a notice before starting, and then the device must be on and plugged in in order to do it. So this is just to control the restart. Scrolling down a little bit more, I’ve got a notification for when your PC requires a restart. That will pop a message up telling me again; I mentioned that a second ago. And then down here, I’ve got the ability to pause. Now I want to point out something here that’s a little unique. If you did this right now on your Windows Ten computer, you might get a different result than I did. I don’t have the defer updates option right now, and the reason I don’t is because my computer is in the process of needing to get updated, and it won’t let me defer because I’ve already paused previously. But if you look on your computer, you’ll have two options.
You’ll have a defer update option for your feature updates, and you’ll have a defer update option for quality updates. Remember, you can defer feature updates for up to a year with the standard version of Windows 10. You can defer quality updates for up to 30 days with the standard version of Windows 10. If you have the LTSC (long-term servicing channel) version, you can postpone feature updates for up to ten years. Okay? On top of that, you can also pause updates for 35 days if you want. Of course, I’ve paused mine recently, so that’s all greyed out. Okay, now one of the last things I want to show you here is delivery optimization. So let’s open up delivery optimization, okay? And then from there, if I want to turn on delivery optimization, I can click the on button, and right now it would be set to PCs on my own computer.
Okay? But again, if I wanted, I could support delivery optimization for the local computer network and PCs on the internet as well. And I briefly discussed what that entails earlier. Remember, though, that delivery optimization is all about peer-to-peer sharing of updates. That’s sharing updates with other computers in your environment. If you don’t want that, you can always turn it off. You can turn it off this way. It can also be turned off through group policies if you want to do that. All of this is manageable through Intune Endpoint Manager. So, if you wanted to turn it off, you could do so in a variety of ways. Okay? Okay, now I’m going to jump back over to the Windows Update page here, and I’m going to click on View Update History, okay? So notice here that I can see driver updates that have gone through. I can view the definition updates that have gone through. If I want, I can even uninstall updates.
Okay? So if you notice, when I do this, it’s going to pull up the control panel, and I can uninstall updates. So in some cases of troubleshooting, you may end up having to uninstall an update if there’s a particular update that doesn’t go through. Well, another thing you can do is if you deployed a feature, updated a build, and then needed to go back to a previous build, you can do that as well. But you will need to go into the Windows recovery environment, and it will let you go back to a previous build. By default, they’ll let you go back to a previous bill for up to 30 days. although that number is supposed to change in the future. That’s what it was at the time of the creation of this video. But anyway, this is how you can get rid of updates. You can remove updates if you want. Okay?
3. Configuring Windows Update for Business
And I want to talk about the Windows Update for Business feature. Now, one of the things you heard me say previously is that we have Windows Update, which has been around for a very long time, and Windows Update just pretty much throws everything down on your machine. If you’ve got Windows 10 at home, that’s pretty much it. You don’t really have much of a choice.
That’s how it’s going to be. Now, if you’ve got a business-class version of Windows 10, you can use Windows Update for Business. Windows Update for Business allows me, in a Microsoft domain environment, to have a measure of control over things like the update, the servicing channel, the update rings, and the ability to have things deferred. Okay? Now, keep in mind, I’m going to have a lot more control if I set up something like WSU Windows Server Update Services and use Intune SCCM with End Point Manager. I’m going to have a lot more control if I do all of that. But this is some basic control that’s going to let me manage some of these different Windows updates for business settings. For business, Windows Update is still the only option. I want to clarify. I’m not going to be able to select what updates users get or any of that. I’m going to need WSU or SC or CMTune or any of that stuff in order to do that.
However, this will allow me to manage things like deferred updates, the update ring, delivery authorizations, and so on. Okay? So I’m going to go now. I’m on a domain controller in my Microsoft domain right now. I’m going to click “start.” I’m going to go see the server manager. We’re going to bring up Server Manager, and we’re going to go to the tool that’s going to allow us to manage group policies, okay? That tool is called group policy management. So we’re going to click Group Policy Management. We’re going to open that up. Okay, it’s going to pop up here. Now I’m going to kind of zoom in on it for you so you can see it a little more clearly. Okay? So here I am. I’m in my domain. My domain’s name is Examlabpractice.com. I’ve got group policy objects here.
And I’m going to create a GPO, okay? so I can create a GPO. I’m going to call it Windows Update for business. You can call it whatever you want. That’s what I’m going to call it. Then I’m going to edit that GPO, all right? In addition, I’ll go over computer configuration Windows settings. I’m sorry. Policies, administrative templates So computer configuration policies; administrative templates; windows; components I’m going to scroll down to Windows Update and then Windows Update for Business. Okay? So when you get in here, this is what it’s going to look like, all right? And I’ve got three main policies that I can use. “Select when Preview builds and feature updates are received” is a policy I have. So I can click on that, okay, let’s just move this over here a little bit to make it easier to read for you.
And then I would enable it and select the Windows readiness level. And this is where I can subscribe to the preview build release semiannual channel that I can force my computer to subscribe to, just like what we talked about in that previous example. I can also say that after a preview build or feature update is released, defer receiving it for this many days. So, if I wanted, I could go through here and tell the computers to postpone that build for a certain amount of time. As you can see, I can pump this up to a year. You can defer updates for up to a year. So I could do that right there if I wanted. Then I can also have updates paused. I can put a date in here and have it paused if I want. I’m going to do that. I’m going to click OK. Consider the second update option when quality updates are received. So let’s move this over here, okay? And we’ll go ahead and enable this. And then it says, “After a quality update is received, defer receiving it for this many days.” so I can do quality updates as well. Remember, quality updates are smaller, but you can only pause for a maximum of 30 days on that same thing for pausing.I can put a date in there for that; click OK.
Finally, I obtained another policy. Okay, I’ll manage preview builds. So I could double-click on that, and then at that point I could click enable and then set the behaviour for preview builds. So if you’re doing the preview mode, I can disable it altogether. I could disable the preview builds once the next release is public. Or I can just enable preview builds. Okay, I’m not going to do that. I’m going to disable preview builds. It’s kind of funny. You’re using a policy; you’re enabling a policy to be disabled, but there you have it, all right? So at that point I can click “okay.” I’ve set my policies up for Windows Update for business, so I would click “okay” to that. And then, if I wanted to, I could drag and drop this over the computers I wanted to handle it on. So, for example, if I wanted the computers in Atlanta to receive this Windows Update for business, I could drag and drop this GPO, this group policy object, there. And at that point, those settings are going to get applied to the computers in Atlanta. Now remember, group policies do not take effect immediately on computers, okay? They happen every 90 to 120 minutes.
They’ll get refreshed. Or if the computer gets rebooted, they’re going to get refreshed. Okay? Another option is to right-click the Ou and select “group policy update,” which will attempt to force it. Or if you’re sitting at the computer, don’t forget that you can always go down to the control panel. I’m sorry. not the Control Panel Command prompt. You can always go to the command prompt. And you can run that command, called “GP update slash force.” Okay? and that will force the computer to refresh its updates. Okay? So if you want it to happen immediately, you can go through the process of doing that, or you can wait 90 to 120 minutes. It’s 90 minutes at the minimum, and then there’s a 30-minute random offset period so that all computers don’t refresh at the exact same time. But that is how you can configure updates for business on your machines using group policies.
4. Deploying Windows updates with Windows Server Update Services (WSUS)
I now want to talk to you about how we can control and deliver updates using a very powerful service on a Windows Server. It’s called WSUS (Windows Server Update Services). Okay? So first things first: Windows Server Update. Servers Services are completely free. You don’t have to do anything to buy it. Of course, it’s kind of hard to argue that it’s free. Of course, you have to have a server. It has to be the licenced version of Server. But what I’m saying is that I don’t have to purchase anything extra to get WSU. If I have a server like Windows Server 2019, I can go and install it right now. So as you can see, I’ve got a server here in front of me. This is a Windows server.
And I’m going to click Start, and I’m going to go to Server Manager. And if I want, once I get into Server Manager, this is sort of the starting point on a Windows server. I can install WSUS now, right now. I do not have WSUS installed. So what I’m going to do is go to this menu option up here called Manage, and I’m going to say “Add roles and features.” Okay? It’s going to bring this little box up. I’m going to zoom into that for you so you can see that better. Okay? And from there, I can click Next, and I’m going to go to the screen where I can add roles to my server here in this little wizard. And you’ll notice that one of the bottom services is called WSUS (Windows Server Update Services). I’m going to select that. We’re going to add the features. We’re going to click next. Click Next. Next, it’s going to ask us where we want to store the information about the updates. Now, in order to do that, WSUS is going to use a database,
okay? Now you get to choose by default; it’s going to use what is known as a WID, which stands for Windows Internal Database. It’s just a very lightweight little database. It will store all your WS information in it, and it will be fine if you’re in an extremely large environment, you’ve got hundreds of thousands of computers and all that, and you’ve got an insane amount of stuff going on. It might be better for you to use an actual, real SQL database. If you have a real SQL Server database licence and all that, you could actually choose to do a SQL Server connector, which is that third option that you see here. However, for the vast majority of users, a Widdatabase will suffice. So I’m going to click Next here, and then at that point it’s going to say, “Okay, where do you want to store your updates?” What is the path where you would like your updates to be stored? Okay, right here I can choose a location for that on my local hard drive. Right now. Those updates are going to be stored. I’m just going to say CWSUS.
That’s when my updates are going to be stored by default; I’m going to click Next, and then at that point, I’m ready to go. I’m going to click Install, and it’s going to start installing. Okay, so I’m going to pause my video for a second, let that get done installing, and then we’ll go from there. Okay, now that the install is done, let me zoom back in on that. We’re going to go ahead and click “close.” We’re going to come up here, and you’re going to notice on Server Manager that there are little warning symbols letting me know that WSU is not completely ready yet. Okay. So I’m going to go to the section that says Launch post-installation task. Let’s do that. Okay, we’ll zoom out, and then that’s going to pop up on the screen here, and we’ll be able to finish the configuration. Okay, now that we’ve got the WS wizard connected to the Microsoft update servers and it’s now gone through the process of synchronising the little catalogue of updates, the types of updates, the products available, the languages, all that, I’m ready to proceed. So I’m going to click “Next” at this point. I can choose the languages and stuff that I want here.
Choose any of the languages you want. I’m going to click “Next” on that. And then, at that point, I could choose the products that I wanted. So I could choose all products, or I could choose specific products that I want to download updates for. Okay, so I can pick and choose here. Keep in mind that this is not something that’s set in stone. I can always go back and do this later if I want. I can select the things I want. You’ll notice that it chose Windows ten for me, as well as Windows eight, which are some of the most popular options. But I can always change this later if I want. I’m just going to accept the defaults there, and I’m going to click Next. Then I’ve got different classifications. I’ve got critical updates, which will involve things like performance on machines, performance updates, definitions—that’s viruses—drivers, driver sets—that’s groups of drivers—feature packs. If I want those service packs you have, some of them are like bulk updates for certain applications, tools, update rollups, or just general updates. And I can even do upgrades if I want. So I could select everything according to the classification of the upgrade updates.
So I’m going to click next. It says, “Okay, when do you want to synchronize?” I’m going to say manually because I don’t want this thing to be scheduled and done, but in the real world, scheduling it to be done automatically is usually a good idea. Okay, so I’m going to click Next, and you could say go ahead and begin the initialization of synchronization, but I’m not going to. so I’m going to hit next. Click. Finish. All right, now that I’ve done that, I’m going to open up the WSU manager. So we’re going to go to the Tools menu here, and we’re going to scroll down and click the Windows Server Update Services tool. And then, at that point, it’s going to pop up on my screen here. Let me move this over for you guys so you can see a little better. And I’m on my little server here, NYCDC 1. Okay, WS is, all in all, pretty easy to use. I’m just going to expand that out. I can see all the updates that I’ve currently got right here. If I expand updates, I can see all updates. Currently, I haven’t gotten any updates because I didn’t let it synchronize. Critical updates, security updates, and even Windows updates are all available. Okay. Right here, I can see the computers that I’m going to give updates to.
You can even create what are called computer groups. One of the things I like to recommend is that you create a lab environment for your computers and test updates on those first. So I can actually add what’s called a “computer group” here, and I’ll call it Test Lab. Okay, so click “Add” on that. I can assign computers to this, and then test installing Windows 10 or any other operating system on those computers. I can give those updates to those computers first. And then, if I wanted, I could even have another computer group called Production. And all my other computers can be members of that. Or you could go more granular than that. You could have different departments if you wanted and deploy your updates based on departments. Downstream servers are going to involve servers that would grab updates from you if you were the parent, which means you would be the one seeing the upstream synchronizations when you synchronized. Right now, I have not really synchronised it. It has synchronised the catalogue of updates, but it has not actually synchronised any real updates yet. But that’s what that’s showing you. You can also do reports. There are a lot of different reports you can generate for updates here, as you can see.
You can run status reports and get detailed reports that will provide all sorts of information about what computers have gotten updates and maybe what computers haven’t gotten updates yet. Okay, then I can go to the options. And if I wanted to change some of the initial settings that you saw me configure in the wizard earlier, this is where you’re going to do that. So all this is the same stuff that we saw earlier when we were doing that wizard. Another thing I’d like to point out is that whenever you go over here to updates, you’ll be able to click approve that update. Right now, nothing’s been approved, but if I had downloaded a bunch of updates, I could pick and choose what’s actually going to get approved. Okay? So that’s going to give me a lot of control. One of the biggest benefits of having WSU right out of the gate is that you get to control who gets what updates. There is one more very important thing I want to clarify here. Computers in your environment are not just going to magically know that they’re supposed to get updates from WSU. You’re going to have to tell your computers that they need updates from WSU. So how do you do that? Well, the way you’re going to do that is either, if you’ve got SCCM Endpoint Manager, you can tell them that way, or the traditional way to do it is you’re going to use group policies.
Okay? So, I’m going to go to the Tools menu here. I’m going to go to Group Policy Management. Bring up the Group Policy Management tool. Let me zoom in on it for you here. And then I’m going to create a GPO—a group policy object called WSUS Deployment. I’m going to click OK. All right? We’re going to go underneath. We’re going to expand computer configuration policies. We’ll go to Administrative Templates. We’re going to go to Windows Components now, okay? And then Windows Update And there are two policies that have to be configured here. The first policy—let me zoom back in on that for you. The first policy that’s got to be configured is called the “Configure Automatic Updates Policy.” Okay? You’re going to go there, you’re going to turn that on, and then you’re going to do this auto download and schedule the install. So you can actually schedule the installation to happen on a certain day of the week. I could do Wednesday at 3:30 a.m. If I wanted to The second policy that’s got to be turned on is this guy right here, specifying the location of the intranet update service Location.
So I’m going to enable that and I’m going to specify the name of my server, which is going to be Nycdc One Colon. Then you must enter the port number, which is 85 30. And I’m going to do the same thing for statistics, which means this is going to be the server that grabs the reports. And usually you’re just going to let the same WSU server do that unless you want an upstream server to do it. You can also set an alternate server as a backup if you need to. But as you can see, that’s the path I’m going to put in.I’m going to click OK, I’m going to close out of the GPO, and then I would attach it to the computers that I want to do it on. Maybe I’m going to do it in Atlanta. And then at that point, it’s just a matter of the policy’s refreshing, which they do every 90 to 120 minutes. You could also do a GP force update if you wanted to force it. Okay? So that’s how you’re going to make your clients realise they’re supposed to get updates from WS; they have to join the domain. The policy is going to handle it, and they’re going to get their updates. So hopefully that irons all that out for you. Now you have a decent understanding of Windows Update and how to get those updates out to your computers.