Win10: Updates of the Operating System

In order to guarantee the security of work computers and the DESY IT infrastructure, the Windows updates are extremely important and must be installed promptly. The installation of Windows updates is generally imposed centrally at DESY, but users of Windows computers are required to ensure that their work devices are updated successfully in order to keep security risks for the entire infrastructure as low as possible.

The following explains how the central provision of Windows updates at DESY works, what must be observed and how you can influence the installation of Windows updates if necessary. It also explains how to handle the updates in the home office.

Provision of Windows updates

There are two types of Windows updates. Once a month the so-called security updates are installed at DESY; these are usually provided on the 3rd Wednesday of each month. You will be informed about the monthly security update by email one or two days in advance. The title of the email is: "[DESY] IT-Maintenance: Monatliche Wartung - Microsoft Windows / Monthly Maintenance - Microsoft Windows".

A feature update presents a completely new version of Windows 10 and is provided once a year for the workstation computers at DESY. You will also be informed about this by e-mail. The group administrators are informed of this in advance and should have made any necessary preparations for the group. The Windows group administrators are therefore the contact people for on-site questions around the update.

Installation requirements

The central WSUS server (Windows System Update Service) provides the necessary updates centrally for all Windows computers in the domain. In order for a Windows computer to be able to reach this server, it must have a connection to the internal DESY network. This is the case with cable connections in the office, with a WLAN connection to the internal DESY network or with a connection via VPN.

Figure 1

To make it easier to check whether updates are available or whether the computer has installed all updates correctly, there is a link to the update settings on the desktop of your computer (see Figure 1).



Figure 2

In the settings for Windows updates you can see whether updates are pending , you can look for updates and view the update history (see Figure 2).






Automatic installation of Windows security updates

If you work at DESY and your computer is in the DESY internal network, it is best to log off from your computer on the evening before the patch day and leave the computer switched on overnight.

The updates will then be downloaded before 6 a.m. and installed automatically without any action on your part. Please note, if you are already logged into your computer at this time, an automatic restart cannot be carried out and you will receive a message to do this yourself. This restart is absolutely necessary to complete the installation of the updates.


Figure 3

If you do not restart your computer immediately, a message will appear stating the number of days in which the computer will be forced to restart, for example as shown in Figure 3.

You will be informed that a restart is planned in x days and you can choose an appointment within this period. You can restart immediately by clicking on "Restart now" or "Jetzt neustarten".





Figure 4

If you click away the message, there are further instructions that draw your attention to the fact that you have to restart the computer. Such references are e.g. an icon with an orange dot in the taskbar on the right and in the start menu, as well as in your Windows update settings, which you can access with the desktop shortcut mentioned above. These notes are marked in the adjacent figures (see Figures 4 and 5).



Figure 5

When you click on the Windows icon in the taskbar (Figure 4), you have the option of updating and restarting the computer, as well as updating and shutting down the computer. This may be useful at the end of a work day, provided you don’t need to access the device remotely later that day.




Manual installation of Windows security updates

There are situations in which pending updates are not automatically downloaded, for example in case of low network bandwidths. In such a case, if you are in contact with the Windows domain, click on the link shown in Figure 1 on your desktop and download the updates manually. If the network bandwidth is low, the download will take significantly longer, so make sure that your laptop is powered.

Please proceed in this way even if the computer was not switched on on the patch day and therefore could not obtain any updates.

Installation of the Windows feature updates

Figure 6

The procedure for installing the Windows feature updates is the same as for the security updates. However, a much longer installation time is to be expected, as a completely new version of Window 10 will be installed on the computer.

In addition to the information in the notification bar, the icon with an orange dot in the taskbar on the right and in the start menu as well as in the Windows update settings, a message is displayed in the so-called Action Center (see Figure 6).

The system will wait for a maximum of seven days after the updates have been released for you to initiate the restart yourself. If this does not happen, the so-called "grace period" of two days occurs after seven days at the latest, during which a restart is forced. The restart is also carried out if you are logged on to the computer or have an application open. The system calculates a point in time during these two days for the restart at which the least possible user activity takes place.

It can also occur that you have to install security updates for this new operating system version. So after a feature update it is best to check whether subsequent updates need to be installed. Please use the shortcut on your desktop as described above (Figure 1).

How to update Windows in home office

In general, even if you establish connections to DESY with your private devices in the home office (e.g. via ssh), it must be ensured that the latest updates are always installed on these private computers. Please take care of that!

How to proceed with the special connection types to DESY is described below.

Connection to the DESY computer via SSH tunnel

If you regularly make a remote connection to your Windows computer at DESY, the device at DESY is continuously on and connected to the network. This means that the updates are installed automatically and the computer at DESY runs through the standard procedure. To make sure, you can check the update process at any time using the link on the desktop (see Figure 1).

However, you should be cautious to do not shut down the office computer to complete the update installation, just restart it. This ensures that you can still log in remotely. If the device shuts down, you will need to contact your colleagues on site to have the device switched on again.

Not in DESY network e.g. SSH proxy connection

If you have no connection to the internal DESY network for a long time, the updates must be obtained directly from Microsoft. The procedure for this is as follows:

1. Open the update settings and click on "Search online for updates from Microsoft Update"
2. Install the security updates shown.

Please note, however, that certain software updates are only available in the internal DESY network. This includes updates for Adobe products and for applications installed via DSM.

VPN connection (from DESY external network to DESY internal network)

If you are connected to DESY from a DESY computer via VPN, the Windows security updates should be downloaded and installed manually. To do this, please proceed as described in the section "Manual installation of Windows security updates".

Help / further information

If your questions are not answered in the documentation or if you have problems with Windows updates, please contact your Windows group administrator. You can find the contact person responsible for you on the following website:

Further information, especially for Windows group administrators, can be found on the following website: