As we have learnt Windows as a service is here, nothing to argue about, you just need to accept change and move on! (If you haven’t seen the earlier blogs in this series, you can find them over on the right)
So, how can you be prepared for this change? Selecting an appropriate update tool comes early when designing your Windows as a Service strategy.
There are a few tooling options:
- Windows Update for Business (WUfB)
- Windows Server Update Services (WSUS)
- ConfigMgr and Windows Analytics
In this blog we will take a look at WUfB.
Windows Update for Business is a Microsoft cloud service available for corporate editions of Windows 10, including Professional, Enterprise and Educational editions.
Some major benefits of WUfB are that it is a free service and that it requires no dedicated server infrastructure. The only requirement is that WUfB client settings are set on clients, these are generally delivered by Group Policy or Intune, but scripts are also an option when these are not available or appropriate.
Group policy settings for WUfB are located in Computer Configuration > Policies > Windows Components > Windows Update > Windows Update for Business as shown in the following screenshot:
The following summarises the WUfB settings
- Select when Preview Builds and Feature Updates are received
This allows you to delay the installation of a feature upgrade for up to 365 days (1 year). Having multiple policies, each having differing delay settings allow you to test the feature update, incorporate ‘early adopters’, followed by a phased deployment to all devices.
- Select when Quality Updates are received
Much the same as the above, except that it’s only for the monthly cumulative Quality update. It allows you to delay for a maximum of 30 days. Multiple policies can be used to test the update (0 day delay) followed by a phased deployment to all devices.
- Disable safeguards for feature updates
While it is usually a good idea to keep a device on a previous version until the issues it is affected by are resolved, issues may be minor sometimes for getting work done on the machine.
Microsoft recommends disabling the blocks only for testing and validation purposes, as “opting out of a safeguard hold can put devices at risk from known performance issues”.
- Manage Preview Builds
Disabling preview builds will forcefully prevent any admin user from opting into the insider program. If you leave this ‘not configured’, then the admin user has the ability to opt into the insider program and use preview builds and allows the admin to leave the insider program. Remember, if they are not an administrator on their machine, they will not be able to opt into the insider program.
If you have systems, perhaps some test devices, that you want to be in the insider program, this setting can be set to enabled and each time a new insider build is released, the system will update to it.
- Set the target feature update version
Allows you to specify which feature update version of Windows 10 you would like your devices to move to and/or stay on until the version reaches end of service or you reconfigure this policy.
If you don’t update this policy before the device reaches end of service, the device will automatically be updated once it is 60 days past end of service for its version.
If you specify a TargetReleaseVersion the same as the current version, Windows 10 will stay on this version until it reaches end of service. If you specify a TargetReleaseVersion higher than the current version, Windows 10 will directly update only to the specified version even if a higher version is available.
Great, we have some control, and we can defer feature and quality updates, but we don’t really want all of our clients to update at the same time, how can we spread the load? This is where Deployment Rings come in.
Deployment rings are constructed differently in each tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the updates by gradually deploying the update to all devices. Defining deployment rings is generally a one-time event, but they should be reviewed after feature deployment to ensure that the sequencing is still correct.
By dividing clients into groups and configuring different deferral times for each you can spread the deployment of updates over time which allows time for testing followed by a controlled deployment.
As an example, let’s look at the deferral settings for feature and quality updates configured by, in this example, a group policy but Intune can also be used to control these settings.
Now consider having multiple GPOs each one targeted to a set group of machines.
Feature Updates Referral
Quality Update Referral
WUfB Ring 1
WUfB Ring 2
WUfB Ring 3
WUfB Ring 4
It is important that we can track the updates are they are deploying, when using WUfB we can use Update Compliance which is offered through an Azure portal and is included as part of Windows 10 licenses.
Azure Log Analytics ingestion and retention charges are not incurred on your Azure subscription for Update Compliance data.
Update Compliance allows you to
- Monitor security, quality, and feature updates for Windows 10 Professional, Education, and Enterprise editions.
- View a report of device and update issues related to compliance that need attention.
- Check bandwidth savings incurred across multiple content types by using Delivery Optimization.
Update Compliance uses Windows 10 diagnostic data for all of its reporting. System data including update deployment progress, Windows Update for Business configuration data, and Delivery Optimization usage data, are collected from the Windows 10 devices and is sent to your Azure Log Analytics workspace.
WUfB Final Thoughts
WUfB may be a free service, but don’t let that taint your opinion of it. Coupled with Azure Update Compliance Reporting, also free, it is a great solution for managing Windows 10 updates.
Some people may regard the lack of local on-premise content for updates as inefficient, to which I would bring up two things:
- Where are your clients?
Due to COVID we are now supporting many more people working from home, so what use is on-premise content in this scenario? How are home workers going to access the on-premise content you have so lovingly prepared? Over a VPN perhaps? Hmmm, connecting to the Internet and then using a VPN connection to gain access to any update content seems inefficient to me!! Why don’t they just use the MS Windows Update services on the Internet, and save the use of a VPN and all that on-premise infrastructure?
- Delivery Optimisation!
Remember Delivery Optimisation is provided by the Windows 10 OS itself and reduces bandwidth consumption by sharing the work of downloading updates among multiple devices. It is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. So, if you are updating 1,000 on premise devices, it is extremely unlikely that each device will explicitly retrieve the update content individually, they will share content. Compliance Reports will show you the amount of bandwidth used and saved which may alleviate concerns!
Windows as a service series: