New options for controlling the arrival of Windows 10 upgrades arrived within Windows 10 version 1511, the refresh that began rolling out Nov. 12. The settings are available to individuals, businesses and organizations running Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education that manage PCs with the Windows Update for Business (WUB) service Microsoft introduced earlier this year.
With Windows 10 1511, Microsoft has delivered all the big pieces of Windows Update for Business. The new WUB controls appeared earlier than Computerworld had anticipated, based on comments Microsoft made in August.
In May, Terry Myerson, Microsoft's operating system and device chief, claimed that WUB would "reduce management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovation from Microsoft on an ongoing basis," with a quartet of components:
?Distribution rings
?Maintenance windows
?Peer to peer delivery
?Integration with existing tools
Check, check, check and check.
"With Windows 10, we need a new approach for end-user devices at work," said Myerson in his May address at Microsoft's Ignite conference.
What he left unsaid was that the new approach also had to take into account resistance from enterprises concerned about ditching a leisurely migration tempo that consumed years for Windows 10's accelerated feature upgrade release schedule.
In 2014, for example, when Microsoft abruptly told customers running Windows 8.1 that they had just 30 days to upgrade to Windows 8.1 Update -- or be barred from security patches -- businesses revolted. Microsoft bent, and within days said that those customers would have four months, not just one, to migrate.
With that precedent, Microsoft realized it could only push its most important customers so far, so fast. The result: WUB.
WUB is essentially an overlay atop Windows Update. It is not a new service, nor a new product, but a new set of controls for managing the timing of how Windows Update -- the patch service Microsoft's run for consumers for two decades -- delivers upgrades and updates to business-grade editions of Windows 10.
Using WUB, individuals and IT administrators can defer the two-to-three-times-a-year upgrades to devices on the "Current Branch for Business" (CBB), one of the three mainstream upgrade tracks and the one most Windows 10 enterprise machines will adopt. Not all editions of Windows 10 are eligible for the CBB -- Windows 10 Home, the dominant SKU (stock-keeping unit) for consumers, is not -- but the prime SKUs in corporate and other large organizations are: Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education.
Key to the CBB track is its ability to defer feature upgrades for up to a year after a specific upgrade reaches consumers on the "Current Branch" (CB), the no-you-can't-refuse-change track.
In Microsoft's new "Windows as a service" model -- the acronym is "WaaS," yet another new term for customers to learn as Windows 10 upsets a 40-year upgrade strategy -- it issues an upgrade first to the CB track. Four months later, the same upgrade is pushed to devices on the CBB.
Microsoft's using the four-month interval as a test and debugging period, giving consumers and small businesses on the CB the responsibility for uncovering problems. The idea is that those guinea pigs will discover flaws, bugs and incompatibilities, giving Microsoft several months to make corrections before a more stable upgrade reaches its most important -- and paying -- corporate customers.
The automatic four-month delay for those on the CBB track was just the first step in Microsoft's response to pushback from enterprises, which are notoriously conservative when it comes to change. Microsoft added even longer upgrade deferrals on the CBB track with WUB.
Using group policies or a management platform like Microsoft's own cloud-based Intune, IT administrators can defer the next upgrade up to an additional eight months in one-month increments. "This deferral capability allows administrators to validate deployments as they are pushed to all their Windows Update for Business enrolled clients," Microsoft said in WUB documentation it published last week.
Administrators can switch one group of Windows 10 devices from the default CB to the slower-paced CBB simply by enabling the "Defer upgrades for the following duration (months)" group policy. (Individuals running Windows 10 Pro can do the same by checking the "Defer upgrades" box within the OS's "Advanced Options" screen of the Windows Update section under Settings.)
According to Hammoudi Samir, a Microsoft field support engineer, the four-month delay of CBB is automatically engaged when requesting any upgrade postponements. "By just enabling this GPO [Group Policy Object] setting and not delaying anything (leaving both durations on zero), it will turn the target computers to CBB," Samir wrote in a Nov. 15 blog post.
For additional delays, users and IT administrators must specify the deferment period, using values of 1 through 8 to represent the number of months. An IT staff, for example, could set another group of devices to get upgrades three months after the usual CBB delivery by using a group policy value of "3." That would schedule those PCs to get the upgrade three months after the default CBB track but seven months (4 + 3) after the same upgrade reached consumers on the CB track.
The maximum deferral is 8 months after the usual CBB ship date, 12 months after the CB. At the end of that stretch, the feature upgrade must be in place or the devices will not receive future security patches and other bug fixes.
By setting upgrade deferrals of different lengths for different device groups, administrators will create what Microsoft has long labeled "rings," a term that originated with the firm's Windows Insider preview program, which features a "fast" ring and a "slow" ring. Rather than hard-code rings for WUB users, Microsoft has given the responsibility -- and flexibility -- to customers.
WUB's new controls also include a temporary hold instruction for Windows Update. By checking a box within the Group Policy Editor or entering a value within Intune, users and IT can put a hold on an upgrade -- or security update -- that automatically expires when the next upgrade or update appears.
"Once a new update or upgrade is available, the value will go back to the previously selected option," the group policy's text stated.
That could come in handy when reports arrive that an upgrade has broken an application or is causing PCs to crash or lock up, or when in-house testing reveals problems with a mission-critical app or workflow. By returning to the Group Policy editor or Intune after Microsoft has fixed the problems, users and IT staffers can disable the hold and let the upgrade and updates flow freely again.
Also available within WUB or through Windows 10 itself: the ability of IT administrators to designate time spans when upgrades can be processed, or banned; and a new peer-to-peer upgrade retrieval feature where PCs on the same network share bits of the upgrade package, part of a broader attempt by Microsoft to reduce bandwidth impacts of the large upgrade and update files.
The available-to-all WUB controls -- and their 12-month maximum delay -- were different than how Microsoft explained the update service earlier this year. Previously, Microsoft said that while WUB would let users defer upgrades for only an additional four months (atop the four months for CBB, for a total of eight months), stretching to the longest delay would require something other than WUB, specifically Windows Server Update Services (WSUS), Microsoft's System Center Configuration Manager (dubbed "Config Manager"), or a third-party maintenance product.
That turned out to not be the case. Although those tools can be used to manage delays of 9 to 12 months, they are not required. Individuals, for instance, can use Windows 10 Pro's included Local Group Policy Editor to extend upgrade deferments to 12 months, while IT administrators can compose Group Policies in the same fashion and force-feed them to scores, hundreds or even thousands of devices.