Behavior of Windows Update on machines running Deep Freeze Enterprise

Overview

This document will provide details on the handling of Windows Updates on client machines managed by the Deep Freeze Enterprise.

Behaviour

When Deep Freeze is controlling the update process the general flow of operations is as shown below;
During the update process Deep Freeze interfaces with the Windows Update Service on the client machine to ensure that updates are installed and that all appropriate steps are taken to ensure that the updates are fully installed before the system returns to a protected state. Any problems with the update process that would result in failed updates are error handled and rolled back with the appropriate information retained in the Windows Update logs on the client machines.

During this process the machine will perform a number of reboots, up to a total of 5, to complete the update process. The update process can take between 15min to 6 hours depending on configuration and the size of the updates being installed on the client machine with the system returning to a frozen (protected) state when the update process is completed.

Update Types

When Deep Freeze is configured to install through the Windows Update web service the specific updates installed will be based on the setting “Always Retrieve Updates from” in the Deep Freeze settings. When configured to download from the Microsoft Windows Update website three options are present;

Install Security & Critical Updates

Install Security & Critical Updates, as well as Feature Releases
Install All Updates

These options will target and install updates matching the categories specified based on the classifications provided by Microsoft for that machine.

The option to download updates from the Windows Server Update Service (WSUS) would download any update flagged as applicable for the machine in the WSUS Server.

Deep Freeze & the Windows Update service

Deep Freeze, when installed on client machines, will suppress with the Windows Update Service to ensure that updates are not being installed on the client machine while the system is in a protected state. This prevents the client machine from wasting resources downloading and installing updates only to have them removed when the client reboots. Depending on the configuration of the systems the Windows Update Service may be suppressed when the computer enters a thawed state to ensure that the client machine does not install updates outside of the pre-configured maintenance tasks. If Deep Freeze is not configured to control the update process the Windows Update service will start when the system is thawed and may attempt to download updates immediately upon reboot.

Please note that when updating through a WSUS server client machines may not report the update status back to the WSUS server immediately depending on the timing of the installation process.

Windows Store / Modern UI Applications

Due to the way that Deep Freeze interfaces with the Windows Update Service to suppress the installation of updates during the frozen state, this also means that Windows Store-based applications (Modern UI Applications) will not be able to be installed while the system is in a frozen state.