Whether you have five, fifty or five hundred Surface Hubs, managing and delivering updates to your Surface Hubs is as important as servicing your other Microsoft products.
Let’s see how to get it done right:
What are our options?
No matter how you manage your Surface Hubs, you have two update options:
WSUS– In which you can utilize an on-premises WSUS infrastructure to approve and deliver updates to your Hubs.
Windows Update for Business – Also known as WUfB or just “Windows Update”, where updates are being downloaded directly from Microsoft. Based on you organization’s policy, you might choose to deliver only some updates and defer\delay other updates to your Windows devices.
There are 3 types of updates offered by WUfB: (Source)
Feature Updates: previously referred to as upgrades, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually.
Quality Updates: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as Microsoft Updates and devices can be optionally configured to receive such updates along with their Windows Updates.
Non-deferrable updates: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
Is the Hub different?
Surface Hub is running a special version of Windows OS called “Windows 10 Team Edition”. It’s a locked-down, secured, Surface Hub-specific version of Windows 10. It is being serviced with the entire Windows 10 branch, and therefore will be getting the regular security updates and monthly updates just like any other Windows 10 OS. This means that whenever we release an update to Windows 10, even if the KB states that “This update introduces no changes to Surface Hub” or if the update doesn’t mention Surface Hub, it would still apply to the Surface Hub as the Windows 10 Team Edition OS is a Windows 10 OS. Since Windows 10 Team Edition is designed to only work on Surface Hub, it has a few apps and features embedded into it that would require special attention when we release new features to Windows 10. This is why we moved to a services-approach for Surface Hub, releasing updates as they become available instead of bundling them into larger software updates. This enables us to be more agile and ensure we are providing the best experience to our customers. It helps us deliver tailored, stable updates based on your feedback, that are tested for delivering the required Surface Hub features – all bundled as quality updates. This is also why we release Surface Hub-Specific updates on the week following ‘Patch Tuesday’ – We’re assessing and confirming the standard Windows updates released on the second Tuesday of every month, and releasing fixes and other Surface Hub-related updates on the following Tuesday, the third Tuesday of every month.
How to prepare?
Well, there isn’t really a “One size fits all” solution here. Some organizations like to have time to test updates, some don’t. Some would have Surface Hubs on the Windows Insider program, some are only interested in the more stable updates. If your organization is large enough, my recommendation would be:
Insider – Have at least one Surface Hub on the Windows Insider program. We’re trying features all the time and your feedback is priceless. Make sure you do submit your feedback if you like something, and make sure your voice is heard if we’re missing something or removed your favorite feature. As always with Insider, some builds could be glitchy and unstable, and not all features will make it to the production builds. Note that Insider Surface Hubs have a message on the top left corner saying they’re on an Insider build, and that the only way to revert to a production build is to reset your device.
Test – Have a few Surface Hubs on immediate release, These devices can be used to test the stability and new features of Surface Hub as updates are delivered. This is the default configuration of Surface Hub, so should be fairly easy to manage.
Production – For all the rest of your Surface Hubs, measure how long it takes you to test and assess the builds and updates we’re shipping and then defer the updates based on this evaluation. As we’re applying Surface Hub updates on the week following Patch Tuesday, I recommend allowing at least 14 days before you apply the updates to your production devices. This means: That if, for example, we release the Windows 10 updates on Tuesday June 12, we will be releasing Surface Hub specific updates (if any) on Tuesday June 19. This will give you enough time to test the builds and updates and also enough time to apply the updates after potential Surface Hub updates. By July 3rd, you’ll be running the tested patches across all your Surface Hubs.
How to Control this?
Intune to the rescue! If you only have 2 or 3 Surface Hubs you want to connect to the Insiders ring, you might be better off adding them manually. Remember that now with the Surface Hub Recovery Tool, it’s much easier to recover your devices’ hard drives is something went wrong. For your test Surface Hubs – you don’t have to apply any update ring. They’re programmed to automatically install all Windows updates during the daily maintenance window, and will do so by default. For you production Surface Hubs – Create a new update ring (or rings, if you want to divide by region, department, screen size, etc.) in Intune (Software Updates -> Windows 10 Update Rings) and follow these guide lines:
Use the Semi Annual Channel to update Surface Hub. This is the most frequent update channel, and will of course allow for all other Windows Updates to be delivered.
Allow Microsoft Product Updates and allow Windows Drivers Updates.
For “Automatic Update Behavior”, leave the setting on “Auto install at maintenance time”. You can control this setting with a Device Configuration profile in Intune.
You can Skip the “Restart Checks”, Surface Hub will take care of that during the daily maintenance window.
Defer the Quality and Feature updates for up to 30 days. You can always pause the ring if you need more time.
Ignore the “Delivery optimization download mode” setting. Surface Hub will not honor this part of the policy as it can’t be changed anyway.
Assign this policy to your Surface Hubs and monitor it using “Device Status”.