Creating and managing deployment groups
There are essentially two ways to manage deployment groups for this new “Windows as a Service” approach: by using System Center Configuration Manager, a tool that if you are in a large organization you probably already have working, or Microsoft Intune, the cloud-based device management service that is aimed at smaller shops that do not want to invest in System Center licenses. There’s a bit of a “hacky” way to control updating, too, which I’ll also cover.
System Center Configuration Manager
System Center Configuration Manager is a beast, and every deployment is different. Getting System Center up and running is well beyond the scope of this article, but happily, Microsoft has some great resources detailing how to configure Windows 10 update and deployment settings. Here are a couple that I suggest you take a look at if you are interested in using System Center to manage Windows 10 deployments:
Windows Intune
On the other hand, with a credit card and a couple of hours’ worth of work with Group Policy, Microsoft Intune can be a great way to test controlling your deployment groups. Intune farms out the Windows as a Service components to Windows Update for Business, or WUB, which is a bit like the next version of Windows Server Update Services.
WUB lets you set up a rollout strategy and set up channel selections and deferral timeouts for different groups of devices, called rings, to fully manage and stage a rollout of new releases of Windows 10. In addition, WUB can halt the rollout of new releases to any of these groups if your testing groups stumble upon compatibility issues in your environment, and you can also customize how the updating happens, including what hours the update takes place, whether it is silent and runs unattended, and whether reboots happen automatically or not.
First, sign into the Azure Intune portal. Navigate through More Services, Monitoring + Management, and down to Intune. From the Intune blade, choose Software Updates, and then choose Manage, and then click Windows 10 Update Rings. Next, click Create to start a new ring.
1. Enter a name and a description for the ring.
2. Choose Settings.
3. On the Settings screen, choose from the following selections and make your choices known:
- Servicing channel: Pick the channel for this ring.
- Microsoft updates: Choose whether this ring gets Microsoft updates as well as new releases.
- Windows drivers: Choose whether to include new device drivers for the components on the systems in this target group.
- Automatic update behavior: Pick how the systems in this group scan, download, and install updates.
- Quality update deferral period (days): Pick the number of days, up to 30, that quality updates are deferred after their initial release. These generally come out the first Tuesday of every month.
- Feature update deferral period (days): Pick the number of days, up to 180 (six months!), that feature updates are deferred for systems in this ring after their initial release.
4. Once the initial configuration is complete, then you can set up how long feature updates are deferred. Here, in a nutshell, is how this works. Take, for instance, the following scenario: You have chosen the Semi-Annual Channel and a deferral period of 60 days. If a feature update becomes publicly available on January 15, devices will not take part in the update until March, 60 days later. That is fairly straightforward.
However, if you picked the Semi-Annual Channel (NOT targeted) and the deferral period is 60 days, then if any given feature update is first available publicly via Windows Update as a Semi-Annual Channel (Targeted) in January, then three months later in March that same feature update "graduates" to the regular Semi-Annual Channel, and then your devices will receive the Feature Update in May, 60 days after that January release hit regular the SAC channel.
5. Also don't forget to choose a delivery optimization choice. I'd recommend selecting HTTP Only, or 0, for the most security. The other options involve other devices on your network caching updates among peers for easier delivery, which strikes me as a potential security risk.
Once you are done, click OK. When the Create Update Ring screen comes back, click on the Create button.
The low-budget way: Windows Server Update Services
Feature upgrades in a typical corporate installation are delivered via Windows Server Update Services and not straight from Microsoft Update. That means the machines on your network talk to WSUS and can only be delivered updates that your individual installation of WSUS has in its repository.
Thus, since these machines depend on what your WSUS installation synchronizes from Microsoft Update, you could refuse to download the feature update through the WSUS administration console, and then that would eliminate the possibility that the machines that find their updates through your WSUS deployment would update to a new release — that is, until you allowed your WSUS deployment to synchronize any feature updates in question. This eliminates the granularity you get with establishing target groups to test updates and the official rings to deploy updates to, but it also is perhaps the simplest way to exercise absolute control over your update timelines.
It is fairly simple to enable and disable the updates. Use the Windows Server Update Services admin tool, which is typically found in the Start menu under Administrative Tools, and then once the MMC utility loads, on the left, expand Options, and then click Products and Classifications. Check and uncheck Windows 10 and Windows 10 LTSB in the Products tree as you see fit (check to synchronize and make the feature updates available; de-select the checkbox to make them unavailable) and then click OK. Once your selections are complete, click the Synchronizations node in the left-hand pane and then choose Synchronize Now, and WSUS will pull down the updates you need.
Application compatibility testing
One of the key tasks of orchestrating an overall migration to Windows 10 is making sure the applications you regularly use are compatible with the new build. Traditionally, this has been sort of a one-time deal, since, say, moving from XP to Windows 7 was a single deployment. But now that Windows 10 is continually serviced, admins must monitor compatibility considerably more than in the past.
The first step is to create a list of all of the applications in use in your organization, from the obvious candidates like Microsoft Office and SAP to the smallest utilities used on a remote workstation somewhere in a branch office. You’ll want to use some kind of software inventory system for this, like System Center; this is a great opportunity to actually create one if you don’t have one of these master lists for your organization. You should also include web applications, since Microsoft Edge is the default for users who get upgraded to Windows 10; Edge has some compatibility issues with certain pages that you will need to test to mitigate or eliminate.
Now, create a version of this list that is prioritized by how business critical the application is. I would suggest the criteria here be non-mainstream software sorted by the number of users, given that we can expect most off-the-shelf software to behave acceptably with Windows 10 at this point. It is the homegrown apps that may cause problems, and if you sort by the number of installed instances, you will approach the most-used applications and can tackle the testing that way.
Microsoft claims on its Servicing Strategy web page: “Only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards,” which seems very aggressive (and foolish) to me. Unless your employees like disruption, you should test popular homegrown applications ahead of a pilot phase as well, especially if they are heavily reliant on web pages or are older, making them more likely to rely on procedure calls and components that are no longer supported in Windows 10.
Then, you can use a combination of tools to really dig out the differences:
- Testing by hand, meaning taking your applications through use testing on your own or with a pilot group of users, typically in conjunction with your update rings and your pilot group. This is time consuming but very effective.
- Upgrade Analytics, which is a surprisingly comprehensive set of automated tests available to you if you subscribe to the optional Microsoft Operations Management Suite (OMS). This works by analyzing an executable’s code and looking for “hot spots,” common markers of procedures and API calls that won’t work with Windows 10’s new security models.
User training
There will be a fair amount of complaints from users regarding “moved cheese” with Windows 10, but Microsoft smartly provides a great deal of information for IT, including how to communicate about your migration and servicing, and also print-ready end-user guides to connecting printers, how to use the desktop, how to use AutoVPN to tunnel into an organization, and more. You can find all of those materials on Microsoft’s “Windows 10 end user readiness” site.
And don’t forget Computerworld’s own “Windows 10 cheat sheet,” a guide for users that covers the interface, features and shortcuts in Windows 10. Finally, our article “5 ways to make Windows 10 act like Windows 7” has some tips for configuring Windows 10 so it seems a little more familiar to Windows 7 users.
The last word
Migrating to Windows 10 is an event. Between making sure your applications are compatible, getting the right release choices, understanding the support lifecycle, controlling Windows as a Service from this point forward, and educating your users, your migration will be a lot of work. Hopefully it pays off for your business.
This story was originally published in June 2018 and most recently updated in November 2019.