News

Microsoft's Update Service for Windows 10 Takes Shape

• By Kurt Mackie
• August 26, 2015

Microsoft recently provided some badly needed official information about its Windows Update for Business (WUB) service for managing Windows 10.

According to Michael Niehaus, a Microsoft senior product marketing manager for Windows and a noted Windows deployment expert, WUB is available but only in part. Niehaus spoke about the mysterious WUB service in Part 3 of a Microsoft Virtual Academy series on Windows 10, called "Staying Current with Windows 10." His talk was noted by ZDNet reporter Mary Jo Foley.

WUB has remained under the radar so far, although it's conceived as kind of a main management tool for organizations deploying Windows 10. It was briefly mentioned as an option for organizations using Windows 10 during Microsoft's May Ignite sessions.

Earlier this month, a Microsoft official stated that WUB was available with Windows Insider releases. However, after the release of Windows 10 on July 29, IT pros looking for the WUB service couldn't find it.

Niehaus said that WUB is a new capability, with some of it being available now, while some of it will be available in subsequent releases, although he didn't say when that would occur. One capability currently lacking in WUB is the ability of organizations to use it to create their own user testing rings, which is the approach Microsoft recommends for organizations coming to grips with "Windows 10 as a service."

Windows 10 as a Service
What Microsoft means by Windows 10 as a service is that OS feature updates will be arriving more frequently than past Windows releases. In the past, new Windows releases happened every three years. Microsoft needs a faster release pace now because it needs to address security threats faster and because of the way people are using devices these days, Niehaus said. Organizations now are exposed to institutional attacks, so new security features need to be delivered quickly, he added.

With Windows 10, Microsoft plans to deliver updates two to three times per year, Niehaus said, although it will release new capabilities on an ongoing basis. Microsoft also plans to provide a new way for organizations to deploy and manage these updates.

Service Branches
Microsoft has proposed its own internal testing rings model as a sort of an example for organizations to follow in managing Windows 10 update releases. External Windows 10 users include Windows Insider Program testers, who get updates a few times a month.

Next, there are "current branch" Windows 10 users who will get updates three times a year, or about once every four months. Current branch users typically might be consumers that just accept Windows Update-delivered features.

The next ring of external Windows 10 users are the "current branch for business" (CBB) users, who can delay applying updates for another eight months past current branch users. That's a total of a year's delay (four months plus eight months) for CBB users. This one-year delay period was explained earlier this month by Stephen Kleynhans, an analyst with Gartner Inc., but it had not been clearly articulated by Microsoft until this talk.

Lastly, there are "long-term servicing branch" (LTSB) users, who have the ability to defer Windows 10 feature updates for the longest time periods, although they get security updates on a continuous basis. Microsoft plans to create a new LTSB around every 18 to 36 months, Niehaus said. He described these LTSB releases as separate images that get deployed to Windows 10 machines. Those organizations electing the LTSB update route can choose to upgrade to a later LTSB image release, if wanted. They can skip one or two of the long-term servicing branch releases. The LTSB images are applied using Microsoft's favored in-place upgrade process for Windows 10.

LTSB releases won't include in-box Microsoft applications, such as the Edge browser, the Cortana personal assistant, or the Windows Store app. Microsoft can't provide servicing for those apps, so they don't get installed with the LTSB image, Niehaus explained.

Microsoft conceives of the LTSB approach as something that might be used by embedded systems, such as industrial machines or medical systems. It's not the approach for office workers. LTSB has tradeoffs, Niehaus said, which is why Microsoft doesn't think it will be the choice for organizations broadly. Most organizations will go the CBB route, perhaps mixing it with some current branch users, which can serve as an early test group, he explained.

All organizations will have to install Windows 10 updates per the various service-branch schedules. If they don't, they won't get security updates from Microsoft, Niehaus noted.

Niehaus acknowledged that Microsoft's new agile release approach with Windows 10 is somewhat contradictory given strong needs among organizations to prioritize stability over installing new features. However, Microsoft thinks it can strike a balance, he said.

WUB Service Integration
The WUB management service is designed to help achieve that balance, apparently, although it's largely sight unseen for organizations right now. Niehaus described WUB as existing as a separate management service, saying that WUB will be the "cloud equivalent to WSUS and [System Center] Configuration Manager."

However, WUB also will get integrated into existing Microsoft management products. For instance, Microsoft plans to tie WUB together with Windows Server Update Services (WSUS), as well as Configuration Manager.

Organizations will be able to use WUB directly to download updates from the cloud. Microsoft is also planning to add Windows Update controls to its Intune mobile device management product so that Intune can approve updates, similar to WSUS. Likewise, WUB will get integrated into Intune, Niehaus explained.

Window 10 clients have a checkbox that if checked will establish a four-month update deferral. The checkbox can be activated on each machine or it can be configured via Group Policy, Niehaus explained. Updates also can be controlled using management solutions such as WSUS and Configuration Manager.

Windows 10 Upgrades
In Part 2 of the Microsoft Academy talks, Niehaus talked about Microsoft's preferred method of deploying Windows 10, namely as in-place upgrades from Windows 7 or Windows 8/8.1 clients.

He explained that the traditional wipe-and-load process is well understood and was advocated by Microsoft for years. With Windows 10, though, Microsoft recommends in-place upgrades, which automatically migrate settings, apps and drivers. In-place upgrades can still be driven from the Microsoft Deployment Toolkit or Configuration Manager. There's just less of an emphasis on creating an image now, Niehaus explained. It's more lightweight. You aren't using the Windows Assessment and Deployment Kit or boot images with a Windows 10 in-place upgrades. The upgrade does most of the work for you, he said.

In-place upgrades aren't the "100 percent answer," Niehaus said, but Microsoft thinks it will do well for a large number of its customers. He presented the following slide showing occasions where an organization would not use an in-place upgrade to Windows 10:

So-called "dynamic provisioning" can happen during deployment. It adds the enterprise configuration to a device and can even transform the Windows 10 SKU, if wanted.

Microsoft allows organizations to have control over the task sequence during in-place upgrades. The task sequence is "a skeleton" and IT pros can add things to it. Configuration Manager or the Microsoft Deployment Toolkit 2013 Update 1 tool can be used to add to an upgrade task sequence.

Microsoft plans to add new functionality for managing Windows 10 with its next Configuration Manager product. However, for basic management, existing Configuration Manager products will do, Niehaus said.

Application and device compatibility will be good with Windows 10. If a device could run Windows 7 or Windows 8, it should be able to run Windows 10, Niehaus said. Microsoft made no real changes to the Win32 process so apps should work OK. There will be a need for some driver updates, though.

Microsoft included Internet Explorer 11 in Windows 10, along with its new Edge browser. Edge is for running new Web pages, but for legacy enterprise apps, organizations may want to continue to use IE 11, Niehaus explained. If Edge is used with a site and it's not compatible, then you get prompted to use IE 11. Compatibility issues with IE 11 are addressed with Microsoft's Enterprise Mode solution.

Niehaus said that most organizations may have to upgrade their KMS system when adding Windows 10. He added that Microsoft simplified a way to install Windows 10 on small hard drives using a DISM switch, which is easier to deploy compared with WIMBoot.